ShopBack Data Breach

13 Nov 2020 (Update)

Several hours ago, we became aware that a party has made available online our customers’ data, which was taken during the unauthorised access to our systems back in September.

We are acutely aware that this may cause you further inconvenience and are deeply sorry for this. As mentioned in our previous communications to customers, your cashback is safe, and your passwords are hashed with a unique and dynamic salt. This data does not contain any credit card details, and ShopBack does not store your 16-digit card number or CVV on any of our systems.

We want to reassure you that we have further enhanced our security measures since September; taking the following steps:

  1. We have verified the removal of unauthorised access and ensured that our systems are now in line with intended configurations.
  2. We have further improved the storage of our unique salted passwords by encrypting using a separately stored 'pepper'.
  3. We have partnered with Crowdstrike, a world-class endpoint security and threat intelligence platform, to monitor for suspicious activity across all our systems.

In the coming days as a precautionary measure, we will be triggering a forced logout and password reset of customers’ ShopBack accounts.

We have also rolled out a self deletion feature on our site to give our customers the ability to delete their accounts quickly and easily themselves without the need to contact ShopBack. See this how to link to self delete your account. We can also continue to assist customers with deleting an account if this is their preference.

Meanwhile, our investigation is still ongoing and we continue to cooperate with the Office of the Australian Information Commissioner.

We thank you for your continued support and we will continue to release further updates. Please reach out to [email protected] if we can help out at all.


26 Sep 2020

Hi guys,

We know the trust you place in us to safeguard your personal information which is why we’re proactively writing this up. A few days ago, we became aware of an incident involving unauthorised access to our systems which contained our customers’ personal data. We are currently confirming which data has been compromised.

As soon as we became aware of the issue, the unauthorised access was removed. We immediately initiated an investigation and engaged leading cyber security specialists to assess the extent of the incident and to further enhance our security measures. We are also collaborating with relevant authorities.

To date, we have no reason to believe that any of your personal data has been misused, however the possibility still exists. What we can assure you of is that your cashback is safe, we do not collect credit card details, and your ShopBack account password is protected by encryption.

You may continue to access your ShopBack account and use our services as business operations have not been affected by the incident.

We understand that this incident might raise some questions for you, and in this regard, we have established a dedicated email address, [email protected], if you would like to contact us. Please also refer to the customer FAQ on our website which has further details.

While your password is encrypted, you may wish to change your ShopBack account password, and we suggest that you do not use the same password on other digital platforms.

We recognise that this is unsettling news and we are deeply sorry for any inconvenience this might cause you. The security and privacy of our customers is of utmost importance to us, and we commit to taking all the steps we can to minimize the risk of a similar incident occurring again in the future.

Thank you
Team ShopBack


FAQs In This Post

How do I close my account?
See this 'How To' link.

How long will it take to close/delete/deactivate? Can I recover my account?
It will take us up to 48 hours to close/deactivate/delete your account after receiving your request. We will not be able to reinstate/restore or retrieve any information (this includes cashbacks associated with the account).

Can I still get my cashback after closing my account? What about pending cashbacks?
In order to ensure that you receive your cashback, you will need to request for a cashout and confirm that you have received it before submitting a request to close/delete/deactivate your account. Cashbacks that have not been confirmed will not be able to be processed. You will not be able to cashout pending cashbacks after they become confirmed as we will not be able to track and link them to you once we have deleted all your information.

I'm not receiving the password reset emails
Our systems are processing the requests and the emails will get to users soon (update: email services have been restored and functioning normally). Alternatively, you can also reset your password by clicking on "Update Password" under https://app.shopback.com/account.

Related Stores

ShopBack AU
ShopBack AU
Marketplace

Comments

  • +7 votes
    Merged from Shopback Data hack? Time to stop using?

    Just got this in the mail couple minutes ago.

    "We know the trust you place in us to safeguard your personal information which is why we’re reaching out. A few days ago, we became aware of an incident involving unauthorised access to our systems which contained our customers’ personal data. We are currently confirming which data has been compromised.

    As soon as we became aware of the issue, the unauthorised access was removed. We immediately initiated an investigation and engaged leading cyber security specialists to assess the extent of the incident and to further enhance our security measures. We are also collaborating with relevant authorities.

    To date, we have no reason to believe that any of your personal data has been misused, however the possibility still exists. What we can assure you of is that your cashback is safe, we do not collect credit card details, and your ShopBack account password is protected by encryption.

    You may continue to access your ShopBack account and use our services as business operations have not been affected by the incident.

    We understand that this incident might raise some questions for you, and in this regard, we have established a dedicated email address, [email protected], if you would like to contact us. Please also refer to the customer FAQs on our website which has further details. "

    Looks like it might be time to switch back to cashrewards and set up new emails

    • +49 votes

      When you uninstall the Shopback button from Google Chrome remember to make it count:

      1. Go to the 'Customise and Control' menu (top RH side)
      2. 'More Tools' —> 'Extensions'
      3. Find 'Shopback Button - Cashback & Coupons' and click on REMOVE
      4. Tick 'Report Abuse' and click on REMOVE
      5. Select the radio button next to "Has other issues – please describe in comments"
      6. Write or paste something in the comments, and submit, to the effect of the following:

      "Confirmed data breach (25Sep20) of the company site resulting in the loss of customer data. Company has failed to protect the privacy and legal rights of users in contravention of clause 4.3 of the Google Chrome Web Store Developer Agreement"

      • +1 vote

        Done good call out OzDJ_

      • +1 vote

        Removed. Understand now based on what's been leaked.

        • +40 votes

          The last 20 years of my life have been in consumer affairs management, including privacy and identity protection. I care about this stuff.

          There is no room for complacency or apologising for sloppy data protection. You can cancel a credit card number, but you can't change your date of birth, nor easily change your name. I've seen the impact of ID theft and financial fraud is, in many ways, the least of our worries.

          That's what's driving it.

          •  

            @OzDJ_: and in some states like WA, you can't even change your driver's licence number if you've been a victim of ID theft.

            • +3 votes

              @tdw: Great call-out.

              There have to be extraordinary circumstances to do so. NSW is a case in point, where the massive Service NSW data breach from March this year is currently being remediated. Unless you are in immediate or likely physical harm (eg a person in witness protection) as a result of the breach, you will get a licence reprint (ie new card number but same licence number) instead of a more expensive/complex licence reissue or (new card number and new licence number).

              The govt-issued details from your driver's licence or passport are GOLD for identify thieves. Think twice the next time you blindly hand over your licence as ID at a pub/club. Have a read of their privacy policy about where any images of that card are stored - by who - where - and for how long.

              •  

                @OzDJ_: i don't go to pubs and clubs anyway (a lot of them are owned by dodgy people), but a while ago, i had a proof of age/photo card done for claiming birthday freebies and doing click & collect orders. and since i'm paranoid about losing or someone stealing my driver's licence, i leave that at home. yes, i've been pulled over many times and police never took an issue with me just handing over my proof of age card.

                but every now and then, i'll get some blowback by ignorant shop staff who claim to have never seen a proof of age card or somehow thinks it's not a legit photo ID. sometimes they'll go, "oh but we need to see your address." but i always have my PO box as the order's billing address so seeing my residential address wouldn't help them much anyway.

                someone here once advised to tape over the address section of your driver's licence for order pick-ups and stuff, and that's good advice, too.

              •  

                @OzDJ_: We went to an RSL once for lunch and they asked for everyone drivers licence and scanned them at the door on a computer.

                •  

                  @GerrardLFC: I don't think that data is available online. Probably on a local server.

                  • +3 votes

                    @Orico:

                    I don't think that data is available online. Probably on a local server.

                    Is that local server connected to a network? Is that network connected to a device that IS connected to the internet? Then that local server is connected to the internet. It may not be easy/convenient to get to, but it can be got to. Go web search some of the stuff people have/can do to hack computers remotely, some of it is wild.

                    Once someone has your data, you have no way of knowing what they are doing / going to do with it.

                    • Bad data storage practices
                    • Bad backup storage practices
                    • Bad security (computer, network, physical, …) practices
                    • Changing privacy policies
                    • Company sales / acquisitions
                    • Data sale

                    Very little data is needed to identify you - if we can identify every 3-metre square on the planet with three words, how many words do we need to identify you? 33.

                    33 pieces of information is enough to identify every single person on the planet (at least until we're past 8.5 billion, then it's only 34 pieces until we get past 17 billion people). And realistically it can probably be done with less.

                    How many pieces are you giving away?

          •  

            @OzDJ_: Can you please advise what to do about this situation: https://www.ozbargain.com.au/node/567275?page=2

            I haven't seen any acknowledgement of the issue by the business and people are saying their social posts are being deleted

            • +1 vote

              @arcticmonkey: Given that attempts to directly engage the entity appear to have been futile, if there are concerns about a breach I would encourage contact with the OAIC and let them get to the bottom of it.

      •  

        Nothing in extentions. also my email address isnt on their system when i went to reset pw? i dont even think im with them. I did buy something other day so maybe thats what it was, i think telstra sim.

        •  

          Interesting. Did you receive a notification email from them?

          • +1 vote

            @OzDJ_: Yes and had my name right so its weird, I vaguely remember at checkout seeing shop back. But ive only brought 3 things 1. kogan 2. telstra sim. the last few weeks. So perhaps one of them uses shop back?, either way i hate to think i entered my details and they have it. Is it for shop back accounts only?, like you have to log into this company?.

            Dear Xxx right name. ,

            We know the trust you place in us to safeguard your personal information which is why we’re reaching out. A few days ago, we became aware of an incident involving unauthorised access to our systems which contained our customers’ personal data. We are currently confirming which data has been compromised.

            I put a temp block on card for now bank. I can unblock it once i think its safe.

            • +1 vote

              @whosyourbuddha: Ahh….so you might have used Shopback via a means other than a browser extension.

              Anyway - sounds like you're doing whatever you can to protect yourself. It's really easy to feel completely powerless when you're a victim of a data breach but taking practical steps to protect yourself and raise awareness/action with others is great.

              Stay vigilant. Good luck.

              •  

                @OzDJ_: Thanks i think i may have got lucky no spam as yet or funny things happening with other accounts , as it was a 3rd party purchase.

            •  

              @whosyourbuddha: when i go to log into shop back.
              We couldn't find an account created with @gmail.com. Please check the email address, or sign up for an account.

    • +1 vote

      Recommend leaving a Google Play review as well. They are still highly rated on the Play Store, and there could be future victims who are unaware of the data breach.

  • +13 votes

    WTF

    • +3 votes

      Help get the word out.

      Companies LOVE IT when you leave a review.

      Just brace yourself for some patronising copy-past response from their Malaysia-based customer service team leader Mod: Removed Personal Information

      • +2 votes

        Leave them a nice review…

        ShopBack Australia
        Level 14/5 Martin Pl, Sydney NSW 2000
        https://maps.app.goo.gl/B38ABqBtzHeZT1Vg6

      • +1 vote

        I wonder if their cyber security team was offshored too

        • +12 votes

          You reckon they had a cyber security team?! I doubt it somehow,

          • +5 votes

            @conan2000: To reply to myself, LinkedIn would suggest they don't as I couldn't find an employee with the word security in their job title, pretty poor given they have more than 400 employees and everything they do is online!

            •  

              @conan2000: 400 marketing and sales (profanity) probably.

  • +4 votes

    Damn, expect a lot of spam and scam calls.

  • +8 votes

    Today I got a SMS from a credit check company containing an activation code, and just before this Shopback email a spam/scam email from 'OfferConnector' which contained my surname for a Woolworths gift card. Not happy about it, and expect there will be more to come..

    •  

      Same , it was Wednesday. it is the same for you?

  • +13 votes

    No wonder I've been getting so many spam emails.

    • +1 vote

      Not sure if related but yes, lately (last week) more phone, txt and email spam/scam.

      •  

        Damn, me too :(

      •  

        I've definitely been getting a lot more phone call/sms spam in the last few weeks since this breach.
        I saw the email, changed my pw, and forgot about it. But reading about it again now, I'm almost totally sure this is the origin of all that spam.

  • +15 votes

    I tried changing my password but I haven't gotten my password reset email yet. And yes I've checked my spam folder.

    A little bit of transparency would go a long way to regain the trust of customers, specifics about what happened would be helpful.

    • -27 votes

      Please give it a little more time and if it still hasn't come through, you can reach out to [email protected] for assistance.

      You may also refer to our FAQs for more information
      https://support.shopback.com.au/hc/en-us/articles/3600541412...

    • +1 vote

      Yup, same. Not sure what’s going on.
      Edit - Successfully changed my password from account settings. Will not touch this SB account ever again anyway.

    •  

      I was able to change my password just now by logging into the site and clicking person/amount (in top right) -> "cashback overview" -> "update password". Was able to do so without needing to reset password.

  • +11 votes

    Have this been reported to ACSC or other authority?

  • +3 votes

    Has the breach been reported to OAIC?

    •  

      Yes we have.

      • +44 votes

        Username doesn’t check out.

  • +16 votes

    your ShopBack account password is protected by encryption.

    Can you confirm whether passwords are stored as one-way salted hashes, or as just encrypted? The former is how you are supposed to store passwords, the latter is awful practice that exposes all passwords if a key is comprised (which is likely if there is an intrusion).

    • +25 votes

      I don't know what you just said, but "one-way salted hashes" sound delicious.

    • +5 votes

      Yes user passwords are encrypted by hashing with a salt.

      • -13 votes

        That's not enough information. Is it PBKDF2, Bcrypt etc

        • +67 votes

          Not knowing what the hash schema used to hash the passwords was adds significant complexity to the password cracking operation. Not disclosing this information is in your best interest.

          • -6 votes

            @StingyJoe: Security by obscurity is not security. Often you can tell if Bcrypt is being used due to the $ that is appended. With other hashing algos you often know as well as they are so damn weak.

          • +5 votes

            @StingyJoe: I'm surprised I got neg'd here. It is very commonly known in the infosec world that obscurity is not security and it would be ideal to know whether the password storage hashing is adequate. Refer to well known people in the infosec world like Scott Helme. https://twitter.com/Scott_Helme/status/1016224286649053184

            • +3 votes

              @machej: Hi @machej.

              Bad luck with the negs, I agree with you, security through obscurity is not real security. That being said, there is no denying that obscurity makes the cracking process much harder and every minute gained gives more people a chance to respond to a breach. Without access to the source code of a program that created the hashes, it can be a VERY time consuming operation to find the right hash combination if anything other than a easy to identify hash schema was used.

              Consider for example the following hash: 0000000B84FF762C88DG6E16F324269EFCA186FA

              If given to a classic cracker such as John the Ripper to crack without specifying a type, you'll get the following response:
              Warning: detected hash type "raw-sha1", but the string is also recognised as "raw-sha1-linkedin"
              Warning: detected hash type "raw-sha1", but the string is also recognised as "raw-sha"
              Warning: detected hash type "raw-sha1", but the string is also recognised as "raw-sha1-ng"

              John will attempt to crack the password as "raw-sha1" but it could be wrong and you'll have to start over on a new hash type again.

              The same hash into hashcat-plus, complains about the hash length and prompts you to specify a hash type. You can specify SHA1 based on your gut feel but there are numerous permutations available that could mean a endless amount of time wasted if you choose wrong. E.g. Hashcat gives the following options for SHA1

              100 = SHA1
              110 = sha1($pass.$salt)
              120 = sha1($salt.$pass)
              130 = sha1(unicode($pass).$salt)
              140 = sha1($salt.unicode($pass))

              There is a real community contributing to solutions for this problem but in the end, knowledge of the application creating the hash is still invaluable to speed up the cracking process. Example projects:
              https://code.google.com/archive/p/hash-identifier/
              https://www.onlinehashcrack.com/hash-identification.php

              •  

                @StingyJoe: Often there is an indication of what hashes are being used. Of course dependent on what systems were breached and how savvy the hackers were. If you take the hash out of the context I totally agree it could help slightly speed things up by disclosing it but I'd like to hope Shopback didn't ignore basic security protocols and used the latest PHP, kept dependencies up to date and therefore you'd expect some level of competency from the hacker.

                Upon a quick check, Shopback does seem to allow very weak passwords so even in your example of 3 potential hash opportunities to select from it seems plausible that a result would be found within a week for a weak password. (eg. Shopback123) Keep in mind salting doesn't mean it takes much longer to find an individual password, merely makes it harder to use a rainbow table. Therefore you could use a bit of logic to try and pinpoint weaker passwords to work out the hashing algo. I won't go into the ins and outs of how but it's publicly available.

        • +16 votes

          Nice try Mr. Hacker! You're not getting my $0.55 sitting in the account…

      • +8 votes

        Encrypted is different to Hashed. Hashes can't be recovered if the hashing algorithm is a modern one that hasn't been compromised yet and a salt is applied. Asking us to email "[email protected]" for these details are not good enough, and the FAQ page includes nothing about which "leading cyber security specialists" have been engaged.

      • +4 votes

        Regardless of how your details are stored, not forcing a password change on all accounts as a precautionary measure is amateur hour stuff.

  • +2 votes

    big YIKES

  • +10 votes

    This is fu*ked!
    They mention they were made aware of this breach on the 17th September, so it occurred some time before then.

    I joined up after the 17th, just a couple of days ago. Now, shouldn't this have been brought to my attention at some point in the signing up procedure?! Surely they are obligated to do so?

    Not happy.

    • -2 votes

      Immediately after we became aware of the issue, we took necessary steps to address the incident, and to secure our customers’ accounts and system. This had to be our first priority.

      • +4 votes

        That's why you immediately forced a password reset on all accounts, right?

        • +5 votes

          All at least Shopback didn't save app passwords as plain text like Gearbest… I'm still getting reports of people trying to log in as me -_-

          •  

            @plague69: :OO link

          •  

            @plague69: LOL for real ? That is hilarious hahaha, thanks for the laughter

          •  

            @plague69: Thankfully I had so little trust in GearBest I used an email generator and a random password.

            Some of those sites feel like they're just waiting to hit a critical mass of users before they have a "breach".

      •  

        That might have been your first priority, but having something in place preventing pseople from signing up during this period or at the very least had a pop-up message advising of the security/data breach.
        That would take no time at all and should have also been an IMPORTANT priority.

        Not even an apology for the stress and uneasiness this has caused…. Just more excuses.

        Not to mention the generic copy and paste email response I got too. Seems to be a real theme appearing here with this company. 😏🤥

  • +49 votes

    Dear Shopback

    1. Email snuck-out at 10.00pm AEST on a Friday night? slow clap
    2. Screw you.
    3. Name, date of birth, bank BSB and acct number….and no offer of paid access to an ID theft monitoring service?
    4. "…we do not collect credit card details…" That is the bank's money at risk you bunch of Muppets.

    (Feedback directed to the company and not intended as a personal attack)

    • +2 votes

      Also suggesting you may change your password. It should be forced when signing in.

      •  

        Yep. Now - for your next mission….try to cancel your account with them.

        • +5 votes

          Sigh


          I am no longer interested. How do I deactivate my ShopBack account?
          Oh no! We are sorry to see you go.

          Please be advised that once the account has been deactivated, you will no longer be able to use the same email address and phone number to create any new accounts under ShopBack.

          If you would still like to proceed, do reach out to our friendly live chat agents here and we will help be more than happy to help you. We are available from Mon to Fri, 10.30AM - 8.30PM AEST, excluding Public Holidays.

    • +1 vote

      did you fill those Gender, Date Of Birth, Address Line, Postal code ? I have only added full name, email address, password, phone number, paypal details

      • +3 votes

        I can't remember what details I had to give them when I opened an account. Under account information it's only showing name, email & mobile, the rest are blank. I haven't cashed out yet.

        • +1 vote

          better to cashout now.

        • +4 votes

          You still don't have to provide all details to cash out.

          I've cashed out and only provided FN (not even my real one), Mob#, Ofc Email & Bank Account.

          No LN, Gender, DOB or address.

          •  

            @Godric: Yeah, but that'll be after the fact which all over now so you should be safe now entering your details to withdraw all your cash…..however low it is….

      • +9 votes

        Luckily I didn't put in my gender, dob, address. Just changed my password for now. But still, major fk up from Shopback.

      • +1 vote

        i've never added my full name or anything but email, mobile number and bank details.

        but that's way too much data already.

        •  

          What are they gonna do with your bank details? Deposit money in it? I guess they could spam you with your email and mobile….

          •  

            @Zachary: You'd be making the same mistake that Jeremy Clarkson did:
            https://www.theguardian.com/money/2008/jan/07/personalfinanc...

            Although that happened more than a decade ago, knowing how stupid some Australian banks are, they probably STILL haven't upgraded their security to prevent things like this from happening.

            •  

              @Russ: what if you only have a savings account only that you can only receive money but not send?

              •  

                @Zachary: You'll probably find the bank will send the money, and then hit you with a fee for using a "disallowed" transaction type.

                You really have to know someone working in a bank, to know just how stupid they are. If a particular type of fraud isn't costing them millions of dollars a month, they don't bother investigating it.

                Maybe there are some smart banks, if so I'd like to know of them. The regular news articles about how banks did something wrong, makes me think they don't exist.

                •  

                  @Russ: IF you signed up to a bank for a savings only account and you tried to pay using that account, it should be blocked and it won't let you….an the other guy who got your bank details to pay for some subscription service won't work either because it'll be denied….

                  •  

                    @Zachary:

                    it should be blocked

                    If the banks actually pulled their fingers out, took security seriously, and came into the 21st century, the transaction should be blocked. But just because the bank documentation says direct debits are not allowed for that type of account, doesn't mean it will happen that way.

                    If the banks did everything right, we wouldn't need a banking ombudsman to correct their mistakes. And the banking ombudsman service (or whatever new name it goes by now) is well and truly overloaded with work, it took ~6 weeks for the ombudsman and the bank to correct a simple error for me, earlier this year.

                    •  

                      @Russ: So what about those companies who openly advertises their bank details publicly so we can pay them?

                      I signed up for a NAB savings account that doesn't allow withdrawals from there unless its towards your personal account or you're at a teller specifying withdrawal specifically from that one account. Wanna test it out - it's got $0 anyway so the only way for money to be withdrawn is if it goes to negative? …which shouldn't happen since I dont have overdrawn enabled on any of my accounts….

                      •  

                        @Zachary:

                        Wanna test it out

                        Wow, thanks, an invitation for me to commit wire fraud, a crime with rather steep penalties. No thanks.

                        •  

                          @Russ: How else am I gonna find out if they're false advertising or lying to me without a test and you seem adamant about it too….so I figured a test or a few is the only way to find out….

    • +2 votes

      I had a quick look, I have never input my DOB/address etc, not sure why I would/why they would need the info anyway? Bank Account and BSB, name and email were all they had.

      Looks like I used Facebook login as well, didn't actually have a password to change.

  • +27 votes

    Shopback has our name, email, mobile number, and bank account details stored. I am genuinely worried.

    • +9 votes

      You have cause to be concerned. Take action.

      Tip: Notify your bank ASAP that you have been the victim of a hack and ask that an interaction be recorded on their CRM along the lines of "Additional/enhanced ID&V. Victim of third party data breach",

      •  

        It looks like I never gave them bank or paypal details, signed up but have not even got any click history.

    • -24 votes

      Someone negged me. WTF???? That you @gotyourback ?

      • -1 vote

        I got your back and +1'd.