ShopBack Data Breach

Store Repgotyourback @ ShopBack AU on 25/09/2020 - 22:13
Last edited 25/04/2021 - 18:37 by 4 other users

13 Nov 2020 (Update)

Several hours ago, we became aware that a party has made available online our customers’ data, which was taken during the unauthorised access to our systems back in September.

We are acutely aware that this may cause you further inconvenience and are deeply sorry for this. As mentioned in our previous communications to customers, your cashback is safe, and your passwords are hashed with a unique and dynamic salt. This data does not contain any credit card details, and ShopBack does not store your 16-digit card number or CVV on any of our systems.

We want to reassure you that we have further enhanced our security measures since September; taking the following steps:

  1. We have verified the removal of unauthorised access and ensured that our systems are now in line with intended configurations.
  2. We have further improved the storage of our unique salted passwords by encrypting using a separately stored 'pepper'.
  3. We have partnered with Crowdstrike, a world-class endpoint security and threat intelligence platform, to monitor for suspicious activity across all our systems.

In the coming days as a precautionary measure, we will be triggering a forced logout and password reset of customers’ ShopBack accounts.

We have also rolled out a self deletion feature on our site to give our customers the ability to delete their accounts quickly and easily themselves without the need to contact ShopBack. See this how to link to self delete your account. We can also continue to assist customers with deleting an account if this is their preference.

Meanwhile, our investigation is still ongoing and we continue to cooperate with the Office of the Australian Information Commissioner.

We thank you for your continued support and we will continue to release further updates. Please reach out to [email protected] if we can help out at all.

26 Sep 2020

Hi guys,

We know the trust you place in us to safeguard your personal information which is why we’re proactively writing this up. A few days ago, we became aware of an incident involving unauthorised access to our systems which contained our customers’ personal data. We are currently confirming which data has been compromised.

As soon as we became aware of the issue, the unauthorised access was removed. We immediately initiated an investigation and engaged leading cyber security specialists to assess the extent of the incident and to further enhance our security measures. We are also collaborating with relevant authorities.

To date, we have no reason to believe that any of your personal data has been misused, however the possibility still exists. What we can assure you of is that your cashback is safe, we do not collect credit card details, and your ShopBack account password is protected by encryption.

You may continue to access your ShopBack account and use our services as business operations have not been affected by the incident.

We understand that this incident might raise some questions for you, and in this regard, we have established a dedicated email address, [email protected], if you would like to contact us. Please also refer to the customer FAQ on our website which has further details.

While your password is encrypted, you may wish to change your ShopBack account password, and we suggest that you do not use the same password on other digital platforms.

We recognise that this is unsettling news and we are deeply sorry for any inconvenience this might cause you. The security and privacy of our customers is of utmost importance to us, and we commit to taking all the steps we can to minimize the risk of a similar incident occurring again in the future.

Thank you
Team ShopBack

FAQs In This Post

How do I close my account?
See this 'How To' link.

How long will it take to close/delete/deactivate? Can I recover my account?
It will take us up to 48 hours to close/deactivate/delete your account after receiving your request. We will not be able to reinstate/restore or retrieve any information (this includes cashbacks associated with the account).

Can I still get my cashback after closing my account? What about pending cashbacks?
In order to ensure that you receive your cashback, you will need to request for a cashout and confirm that you have received it before submitting a request to close/delete/deactivate your account. Cashbacks that have not been confirmed will not be able to be processed. You will not be able to cashout pending cashbacks after they become confirmed as we will not be able to track and link them to you once we have deleted all your information.

I'm not receiving the password reset emails
Our systems are processing the requests and the emails will get to users soon (update: email services have been restored and functioning normally). Alternatively, you can also reset your password by clicking on "Update Password" under https://app.shopback.com/account.

General Discussion

Related Stores

ShopBack AU
ShopBack AU
Third-Party

Comments

  • Ghosteye on 25/09/2020 - 22:12
    +7
    Merged from Shopback Data hack? Time to stop using?

    Just got this in the mail couple minutes ago.

    "We know the trust you place in us to safeguard your personal information which is why we’re reaching out. A few days ago, we became aware of an incident involving unauthorised access to our systems which contained our customers’ personal data. We are currently confirming which data has been compromised.

    As soon as we became aware of the issue, the unauthorised access was removed. We immediately initiated an investigation and engaged leading cyber security specialists to assess the extent of the incident and to further enhance our security measures. We are also collaborating with relevant authorities.

    To date, we have no reason to believe that any of your personal data has been misused, however the possibility still exists. What we can assure you of is that your cashback is safe, we do not collect credit card details, and your ShopBack account password is protected by encryption.

    You may continue to access your ShopBack account and use our services as business operations have not been affected by the incident.

    We understand that this incident might raise some questions for you, and in this regard, we have established a dedicated email address, [email protected], if you would like to contact us. Please also refer to the customer FAQs on our website which has further details. "

    Looks like it might be time to switch back to cashrewards and set up new emails

    • [Deactivated] on 26/09/2020 - 00:12
      +49

      When you uninstall the Shopback button from Google Chrome remember to make it count:

      1. Go to the 'Customise and Control' menu (top RH side)
      2. 'More Tools' —> 'Extensions'
      3. Find 'Shopback Button - Cashback & Coupons' and click on REMOVE
      4. Tick 'Report Abuse' and click on REMOVE
      5. Select the radio button next to "Has other issues – please describe in comments"
      6. Write or paste something in the comments, and submit, to the effect of the following:

      "Confirmed data breach (25Sep20) of the company site resulting in the loss of customer data. Company has failed to protect the privacy and legal rights of users in contravention of clause 4.3 of the Google Chrome Web Store Developer Agreement"

      • playaz91 on 26/09/2020 - 08:05
        +1

        Done good call out OzDJ_

      • [Deactivated] on 26/09/2020 - 09:28
        +1

        Removed. Understand now based on what's been leaked.

        • [Deactivated] on 26/09/2020 - 09:42
          +40

          The last 20 years of my life have been in consumer affairs management, including privacy and identity protection. I care about this stuff.

          There is no room for complacency or apologising for sloppy data protection. You can cancel a credit card number, but you can't change your date of birth, nor easily change your name. I've seen the impact of ID theft and financial fraud is, in many ways, the least of our worries.

          That's what's driving it.

          • tdw on 26/09/2020 - 14:41

            @[Deactivated]: and in some states like WA, you can't even change your driver's licence number if you've been a victim of ID theft.

            • [Deactivated] on 26/09/2020 - 14:51
              +3

              @tdw: Great call-out.

              There have to be extraordinary circumstances to do so. NSW is a case in point, where the massive Service NSW data breach from March this year is currently being remediated. Unless you are in immediate or likely physical harm (eg a person in witness protection) as a result of the breach, you will get a licence reprint (ie new card number but same licence number) instead of a more expensive/complex licence reissue or (new card number and new licence number).

              The govt-issued details from your driver's licence or passport are GOLD for identify thieves. Think twice the next time you blindly hand over your licence as ID at a pub/club. Have a read of their privacy policy about where any images of that card are stored - by who - where - and for how long.

              • tdw on 26/09/2020 - 15:30

                @[Deactivated]: i don't go to pubs and clubs anyway (a lot of them are owned by dodgy people), but a while ago, i had a proof of age/photo card done for claiming birthday freebies and doing click & collect orders. and since i'm paranoid about losing or someone stealing my driver's licence, i leave that at home. yes, i've been pulled over many times and police never took an issue with me just handing over my proof of age card.

                but every now and then, i'll get some blowback by ignorant shop staff who claim to have never seen a proof of age card or somehow thinks it's not a legit photo ID. sometimes they'll go, "oh but we need to see your address." but i always have my PO box as the order's billing address so seeing my residential address wouldn't help them much anyway.

                someone here once advised to tape over the address section of your driver's licence for order pick-ups and stuff, and that's good advice, too.

              • GerrardLFC on 26/09/2020 - 18:19

                @[Deactivated]: We went to an RSL once for lunch and they asked for everyone drivers licence and scanned them at the door on a computer.

                • Orico on 27/09/2020 - 17:51

                  @GerrardLFC: I don't think that data is available online. Probably on a local server.

                  • Chandler on 29/09/2020 - 10:26
                    +3

                    @Orico:

                    I don't think that data is available online. Probably on a local server.

                    Is that local server connected to a network? Is that network connected to a device that IS connected to the internet? Then that local server is connected to the internet. It may not be easy/convenient to get to, but it can be got to. Go web search some of the stuff people have/can do to hack computers remotely, some of it is wild.

                    Once someone has your data, you have no way of knowing what they are doing / going to do with it.

                    • Bad data storage practices
                    • Bad backup storage practices
                    • Bad security (computer, network, physical, …) practices
                    • Changing privacy policies
                    • Company sales / acquisitions
                    • Data sale

                    Very little data is needed to identify you - if we can identify every 3-metre square on the planet with three words, how many words do we need to identify you? 33.

                    33 pieces of information is enough to identify every single person on the planet (at least until we're past 8.5 billion, then it's only 34 pieces until we get past 17 billion people). And realistically it can probably be done with less.

                    How many pieces are you giving away?

          • arcticmonkey on 29/09/2020 - 07:41

            @[Deactivated]: Can you please advise what to do about this situation: https://www.ozbargain.com.au/node/567275?page=2

            I haven't seen any acknowledgement of the issue by the business and people are saying their social posts are being deleted

            • [Deactivated] on 29/09/2020 - 14:53
              +1

              @arcticmonkey: Given that attempts to directly engage the entity appear to have been futile, if there are concerns about a breach I would encourage contact with the OAIC and let them get to the bottom of it.

      • whosyourbuddha on 26/09/2020 - 09:40

        Nothing in extentions. also my email address isnt on their system when i went to reset pw? i dont even think im with them. I did buy something other day so maybe thats what it was, i think telstra sim.

        • [Deactivated] on 26/09/2020 - 09:46

          Interesting. Did you receive a notification email from them?

          • whosyourbuddha on 26/09/2020 - 09:48
            +1

            @[Deactivated]: Yes and had my name right so its weird, I vaguely remember at checkout seeing shop back. But ive only brought 3 things 1. kogan 2. telstra sim. the last few weeks. So perhaps one of them uses shop back?, either way i hate to think i entered my details and they have it. Is it for shop back accounts only?, like you have to log into this company?.

            Dear Xxx right name. ,

            We know the trust you place in us to safeguard your personal information which is why we’re reaching out. A few days ago, we became aware of an incident involving unauthorised access to our systems which contained our customers’ personal data. We are currently confirming which data has been compromised.

            I put a temp block on card for now bank. I can unblock it once i think its safe.

            • [Deactivated] on 26/09/2020 - 09:59
              +1

              @whosyourbuddha: Ahh….so you might have used Shopback via a means other than a browser extension.

              Anyway - sounds like you're doing whatever you can to protect yourself. It's really easy to feel completely powerless when you're a victim of a data breach but taking practical steps to protect yourself and raise awareness/action with others is great.

              Stay vigilant. Good luck.

              • whosyourbuddha on 26/09/2020 - 11:01

                @[Deactivated]: Thanks i think i may have got lucky no spam as yet or funny things happening with other accounts , as it was a 3rd party purchase.

            • whosyourbuddha on 26/09/2020 - 09:59

              @whosyourbuddha: when i go to log into shop back.
              We couldn't find an account created with @gmail.com. Please check the email address, or sign up for an account.

    • wizzlesticks on 26/09/2020 - 16:58
      +1

      Recommend leaving a Google Play review as well. They are still highly rated on the Play Store, and there could be future victims who are unaware of the data breach.

  • hm on 25/09/2020 - 22:15
    +13

    WTF

    • [Deactivated] on 25/09/2020 - 23:32
      +3

      Help get the word out.

      Companies LOVE IT when you leave a review.

      Just brace yourself for some patronising copy-past response from their Malaysia-based customer service team leader Mod: Removed Personal Information

      • shaun-o on 25/09/2020 - 23:34
        +2

        Leave them a nice review…

        ShopBack Australia
        Level 14/5 Martin Pl, Sydney NSW 2000
        https://maps.app.goo.gl/B38ABqBtzHeZT1Vg6

        • [Deactivated] on 25/09/2020 - 23:42

          Onto it. Anywhere else that springs to mind?

        • [Deactivated] on 06/10/2020 - 10:32
          +6

          A dormant user on Trustpilot recently sprung back to life to defend Shopback with a 5-star review. Reverse image search leads to this chap based in Melbourne.

          While looking at his profile, LinkedIn suggests I might also know (mod: removed personal info). Google that name and find a Google Maps 5-star review from "(mod: removed personal info)" less than a week ago. Oh dear, that person is from Shopback. Needless to say, that Google Maps review has been flagged for conflict of interest.

          • shaun-o on 06/10/2020 - 10:43
            +1

            @[Deactivated]: Nice work. Did you report them on ProductReview?

            • [Deactivated] on 06/10/2020 - 10:46
              +1

              @shaun-o: Oh wow…Mr Fang also 5-Starred them there, too?! :-o

              No - I haven't reported the review there, yet.

      • [Deactivated] on 26/09/2020 - 01:45
        +1

        I wonder if their cyber security team was offshored too

        • conan2000 on 26/09/2020 - 09:28
          +12

          You reckon they had a cyber security team?! I doubt it somehow,

          • conan2000 on 27/09/2020 - 16:53
            +5

            @conan2000: To reply to myself, LinkedIn would suggest they don't as I couldn't find an employee with the word security in their job title, pretty poor given they have more than 400 employees and everything they do is online!

            • Telios on 01/10/2020 - 13:24

              @conan2000: 400 marketing and sales (profanity) probably.

  • nadan on 25/09/2020 - 22:15
    +4

    Damn, expect a lot of spam and scam calls.

  • nubzy on 25/09/2020 - 22:18
    +8

    Today I got a SMS from a credit check company containing an activation code, and just before this Shopback email a spam/scam email from 'OfferConnector' which contained my surname for a Woolworths gift card. Not happy about it, and expect there will be more to come..

    • SnoozeAndLose on 26/09/2020 - 15:53

      Same , it was Wednesday. it is the same for you?

  • Scalding Coffee Cup on 25/09/2020 - 22:19
    +13

    No wonder I've been getting so many spam emails.

    • blorx on 30/09/2020 - 14:27
      +1

      Not sure if related but yes, lately (last week) more phone, txt and email spam/scam.

      • RocketSwitch on 01/10/2020 - 08:48

        Damn, me too :(

      • NiteMice on 07/10/2020 - 22:56

        I've definitely been getting a lot more phone call/sms spam in the last few weeks since this breach.
        I saw the email, changed my pw, and forgot about it. But reading about it again now, I'm almost totally sure this is the origin of all that spam.

  • Bunnyburger on 25/09/2020 - 22:21
    +15

    I tried changing my password but I haven't gotten my password reset email yet. And yes I've checked my spam folder.

    A little bit of transparency would go a long way to regain the trust of customers, specifics about what happened would be helpful.

    • Store Repgotyourback @ ShopBack AU on 25/09/2020 - 22:31
      -27

      Please give it a little more time and if it still hasn't come through, you can reach out to [email protected] for assistance.

      You may also refer to our FAQs for more information
      https://support.shopback.com.au/hc/en-us/articles/3600541412…

      • taoz on 26/09/2020 - 00:31
        +2

        likewise
        whats going on!!
        been hours and still nothing in my email anywhere

      • PopCounty on 26/09/2020 - 00:34

        When I went to withdraw money, can’t verify my email as there’s no verification email sent whatsoever. Damn SB.

    • FrugalNotStingy on 25/09/2020 - 23:02
      +1

      Yup, same. Not sure what’s going on.
      Edit - Successfully changed my password from account settings. Will not touch this SB account ever again anyway.

    • bdl on 25/09/2020 - 23:21

      I was able to change my password just now by logging into the site and clicking person/amount (in top right) -> "cashback overview" -> "update password". Was able to do so without needing to reset password.

  • alo1234 on 25/09/2020 - 22:23
    +11

    Have this been reported to ACSC or other authority?

  • Clear on 25/09/2020 - 22:23
    +3

    Has the breach been reported to OAIC?

    • Store Repgotyourback @ ShopBack AU on 25/09/2020 - 22:35

      Yes we have.

      • cheaponos on 25/09/2020 - 22:38
        +44

        Username doesn’t check out.

  • jasongi on 25/09/2020 - 22:24
    +16

    your ShopBack account password is protected by encryption.

    Can you confirm whether passwords are stored as one-way salted hashes, or as just encrypted? The former is how you are supposed to store passwords, the latter is awful practice that exposes all passwords if a key is comprised (which is likely if there is an intrusion).

    • nexus4 on 25/09/2020 - 22:27
      +25

      I don't know what you just said, but "one-way salted hashes" sound delicious.

    • Store Repgotyourback @ ShopBack AU on 25/09/2020 - 22:39
      +5

      Yes user passwords are encrypted by hashing with a salt.

        • StingyJoe on 26/09/2020 - 03:46
          +67

          Not knowing what the hash schema used to hash the passwords was adds significant complexity to the password cracking operation. Not disclosing this information is in your best interest.

          • machej on 26/09/2020 - 04:20
            -6

            @StingyJoe: Security by obscurity is not security. Often you can tell if Bcrypt is being used due to the $ that is appended. With other hashing algos you often know as well as they are so damn weak.

          • machej on 27/09/2020 - 19:39
            +5

            @StingyJoe: I'm surprised I got neg'd here. It is very commonly known in the infosec world that obscurity is not security and it would be ideal to know whether the password storage hashing is adequate. Refer to well known people in the infosec world like Scott Helme. https://twitter.com/Scott_Helme/status/1016224286649053184

            • StingyJoe on 28/09/2020 - 22:58
              +3

              @machej: Hi @machej.

              Bad luck with the negs, I agree with you, security through obscurity is not real security. That being said, there is no denying that obscurity makes the cracking process much harder and every minute gained gives more people a chance to respond to a breach. Without access to the source code of a program that created the hashes, it can be a VERY time consuming operation to find the right hash combination if anything other than a easy to identify hash schema was used.

              Consider for example the following hash: 0000000B84FF762C88DG6E16F324269EFCA186FA

              If given to a classic cracker such as John the Ripper to crack without specifying a type, you'll get the following response:
              Warning: detected hash type "raw-sha1", but the string is also recognised as "raw-sha1-linkedin"
              Warning: detected hash type "raw-sha1", but the string is also recognised as "raw-sha"
              Warning: detected hash type "raw-sha1", but the string is also recognised as "raw-sha1-ng"

              John will attempt to crack the password as "raw-sha1" but it could be wrong and you'll have to start over on a new hash type again.

              The same hash into hashcat-plus, complains about the hash length and prompts you to specify a hash type. You can specify SHA1 based on your gut feel but there are numerous permutations available that could mean a endless amount of time wasted if you choose wrong. E.g. Hashcat gives the following options for SHA1

              100 = SHA1
              110 = sha1($pass.$salt)
              120 = sha1($salt.$pass)
              130 = sha1(unicode($pass).$salt)
              140 = sha1($salt.unicode($pass))

              There is a real community contributing to solutions for this problem but in the end, knowledge of the application creating the hash is still invaluable to speed up the cracking process. Example projects:
              https://code.google.com/archive/p/hash-identifier/
              https://www.onlinehashcrack.com/hash-identification.php

              • machej on 29/09/2020 - 00:23

                @StingyJoe: Often there is an indication of what hashes are being used. Of course dependent on what systems were breached and how savvy the hackers were. If you take the hash out of the context I totally agree it could help slightly speed things up by disclosing it but I'd like to hope Shopback didn't ignore basic security protocols and used the latest PHP, kept dependencies up to date and therefore you'd expect some level of competency from the hacker.

                Upon a quick check, Shopback does seem to allow very weak passwords so even in your example of 3 potential hash opportunities to select from it seems plausible that a result would be found within a week for a weak password. (eg. Shopback123) Keep in mind salting doesn't mean it takes much longer to find an individual password, merely makes it harder to use a rainbow table. Therefore you could use a bit of logic to try and pinpoint weaker passwords to work out the hashing algo. I won't go into the ins and outs of how but it's publicly available.

        • errorius on 26/09/2020 - 16:19
          +16

          Nice try Mr. Hacker! You're not getting my $0.55 sitting in the account…

      • NimitzHarrington on 26/09/2020 - 02:34
        +8

        Encrypted is different to Hashed. Hashes can't be recovered if the hashing algorithm is a modern one that hasn't been compromised yet and a salt is applied. Asking us to email "[email protected]" for these details are not good enough, and the FAQ page includes nothing about which "leading cyber security specialists" have been engaged.

      • whichwhatwho on 26/09/2020 - 15:44
        +4

        Regardless of how your details are stored, not forcing a password change on all accounts as a precautionary measure is amateur hour stuff.

  • skido on 25/09/2020 - 22:26
    +2

    big YIKES

  • hutchjnr on 25/09/2020 - 22:26
    +10

    This is fu*ked!
    They mention they were made aware of this breach on the 17th September, so it occurred some time before then.

    I joined up after the 17th, just a couple of days ago. Now, shouldn't this have been brought to my attention at some point in the signing up procedure?! Surely they are obligated to do so?

    Not happy.

    • Store Repgotyourback @ ShopBack AU on 26/09/2020 - 10:44
      -2

      Immediately after we became aware of the issue, we took necessary steps to address the incident, and to secure our customers’ accounts and system. This had to be our first priority.

      • mahdoo on 27/09/2020 - 22:33
        +4

        That's why you immediately forced a password reset on all accounts, right?

        • plague69 on 27/09/2020 - 23:05
          +5

          All at least Shopback didn't save app passwords as plain text like Gearbest… I'm still getting reports of people trying to log in as me -_-

          • capslock janitor on 28/09/2020 - 13:45

            @plague69: :OO link

          • frewer on 29/09/2020 - 09:34

            @plague69: LOL for real ? That is hilarious hahaha, thanks for the laughter

          • Telios on 01/10/2020 - 14:41

            @plague69: Thankfully I had so little trust in GearBest I used an email generator and a random password.

            Some of those sites feel like they're just waiting to hit a critical mass of users before they have a "breach".

      • hutchjnr on 06/10/2020 - 18:43

        That might have been your first priority, but having something in place preventing pseople from signing up during this period or at the very least had a pop-up message advising of the security/data breach.
        That would take no time at all and should have also been an IMPORTANT priority.

        Not even an apology for the stress and uneasiness this has caused…. Just more excuses.

        Not to mention the generic copy and paste email response I got too. Seems to be a real theme appearing here with this company. 😏🤥

  • [Deactivated] on 25/09/2020 - 22:26
    +49

    Dear Shopback

    1. Email snuck-out at 10.00pm AEST on a Friday night? slow clap
    2. Screw you.
    3. Name, date of birth, bank BSB and acct number….and no offer of paid access to an ID theft monitoring service?
    4. "…we do not collect credit card details…" That is the bank's money at risk you bunch of Muppets.

    (Feedback directed to the company and not intended as a personal attack)

    • machej on 25/09/2020 - 22:40
      +2

      Also suggesting you may change your password. It should be forced when signing in.

      • [Deactivated] on 25/09/2020 - 22:42

        Yep. Now - for your next mission….try to cancel your account with them.

        • [Deactivated] on 25/09/2020 - 22:53
          +5

          Sigh

          I am no longer interested. How do I deactivate my ShopBack account?
          Oh no! We are sorry to see you go.

          Please be advised that once the account has been deactivated, you will no longer be able to use the same email address and phone number to create any new accounts under ShopBack.

          If you would still like to proceed, do reach out to our friendly live chat agents here and we will help be more than happy to help you. We are available from Mon to Fri, 10.30AM - 8.30PM AEST, excluding Public Holidays.

    • bazingaa on 25/09/2020 - 23:01
      +1

      did you fill those Gender, Date Of Birth, Address Line, Postal code ? I have only added full name, email address, password, phone number, paypal details

      • shaun-o on 25/09/2020 - 23:37
        +3

        I can't remember what details I had to give them when I opened an account. Under account information it's only showing name, email & mobile, the rest are blank. I haven't cashed out yet.

        • bazingaa on 25/09/2020 - 23:47
          +1

          better to cashout now.

        • Godric on 26/09/2020 - 00:00
          +4

          You still don't have to provide all details to cash out.

          I've cashed out and only provided FN (not even my real one), Mob#, Ofc Email & Bank Account.

          No LN, Gender, DOB or address.

          • Zachary on 27/09/2020 - 22:37

            @Godric: Yeah, but that'll be after the fact which all over now so you should be safe now entering your details to withdraw all your cash…..however low it is….

      • cloudie9 on 25/09/2020 - 23:41
        +9

        Luckily I didn't put in my gender, dob, address. Just changed my password for now. But still, major fk up from Shopback.

      • tdw on 26/09/2020 - 01:49
        +1

        i've never added my full name or anything but email, mobile number and bank details.

        but that's way too much data already.

        • Zachary on 27/09/2020 - 22:38

          What are they gonna do with your bank details? Deposit money in it? I guess they could spam you with your email and mobile….

          • Russ on 28/09/2020 - 02:20

            @Zachary: You'd be making the same mistake that Jeremy Clarkson did:
            https://www.theguardian.com/money/2008/jan/07/personalfinanc…

            Although that happened more than a decade ago, knowing how stupid some Australian banks are, they probably STILL haven't upgraded their security to prevent things like this from happening.

            • Zachary on 10/12/2020 - 16:11

              @Russ: what if you only have a savings account only that you can only receive money but not send?

              • Russ on 11/12/2020 - 13:03

                @Zachary: You'll probably find the bank will send the money, and then hit you with a fee for using a "disallowed" transaction type.

                You really have to know someone working in a bank, to know just how stupid they are. If a particular type of fraud isn't costing them millions of dollars a month, they don't bother investigating it.

                Maybe there are some smart banks, if so I'd like to know of them. The regular news articles about how banks did something wrong, makes me think they don't exist.

                • Zachary on 11/12/2020 - 17:05

                  @Russ: IF you signed up to a bank for a savings only account and you tried to pay using that account, it should be blocked and it won't let you….an the other guy who got your bank details to pay for some subscription service won't work either because it'll be denied….

                  • Russ on 12/12/2020 - 03:24

                    @Zachary:

                    it should be blocked

                    If the banks actually pulled their fingers out, took security seriously, and came into the 21st century, the transaction should be blocked. But just because the bank documentation says direct debits are not allowed for that type of account, doesn't mean it will happen that way.

                    If the banks did everything right, we wouldn't need a banking ombudsman to correct their mistakes. And the banking ombudsman service (or whatever new name it goes by now) is well and truly overloaded with work, it took ~6 weeks for the ombudsman and the bank to correct a simple error for me, earlier this year.

                    • Zachary on 02/01/2021 - 13:42

                      @Russ: So what about those companies who openly advertises their bank details publicly so we can pay them?

                      I signed up for a NAB savings account that doesn't allow withdrawals from there unless its towards your personal account or you're at a teller specifying withdrawal specifically from that one account. Wanna test it out - it's got $0 anyway so the only way for money to be withdrawn is if it goes to negative? …which shouldn't happen since I dont have overdrawn enabled on any of my accounts….

                      • Russ on 11/01/2021 - 15:33

                        @Zachary:

                        Wanna test it out

                        Wow, thanks, an invitation for me to commit wire fraud, a crime with rather steep penalties. No thanks.

                        • Zachary on 06/02/2021 - 16:57

                          @Russ: How else am I gonna find out if they're false advertising or lying to me without a test and you seem adamant about it too….so I figured a test or a few is the only way to find out….

    • conan2000 on 26/09/2020 - 09:33
      +2

      I had a quick look, I have never input my DOB/address etc, not sure why I would/why they would need the info anyway? Bank Account and BSB, name and email were all they had.

      Looks like I used Facebook login as well, didn't actually have a password to change.

  • nosrad on 25/09/2020 - 22:28
    +27

    Shopback has our name, email, mobile number, and bank account details stored. I am genuinely worried.

    • [Deactivated] on 25/09/2020 - 22:33
      +9

      You have cause to be concerned. Take action.

      Tip: Notify your bank ASAP that you have been the victim of a hack and ask that an interaction be recorded on their CRM along the lines of "Additional/enhanced ID&V. Victim of third party data breach",

      • SgtBatten on 28/09/2020 - 08:02

        It looks like I never gave them bank or paypal details, signed up but have not even got any click history.

      • machej on 25/09/2020 - 22:54
        -1

        I got your back and +1'd.

Login or Join to leave a comment
Login Join