ShopBack Data Breach

Hi guys,

We know the trust you place in us to safeguard your personal information which is why we’re proactively writing this up. A few days ago, we became aware of an incident involving unauthorised access to our systems which contained our customers’ personal data. We are currently confirming which data has been compromised.

As soon as we became aware of the issue, the unauthorised access was removed. We immediately initiated an investigation and engaged leading cyber security specialists to assess the extent of the incident and to further enhance our security measures. We are also collaborating with relevant authorities.

To date, we have no reason to believe that any of your personal data has been misused, however the possibility still exists. What we can assure you of is that your cashback is safe, we do not collect credit card details, and your ShopBack account password is protected by encryption.

You may continue to access your ShopBack account and use our services as business operations have not been affected by the incident.

We understand that this incident might raise some questions for you, and in this regard, we have established a dedicated email address, [email protected], if you would like to contact us. Please also refer to the customer FAQ on our website which has further details.

While your password is encrypted, you may wish to change your ShopBack account password, and we suggest that you do not use the same password on other digital platforms.

We recognise that this is unsettling news and we are deeply sorry for any inconvenience this might cause you. The security and privacy of our customers is of utmost importance to us, and we commit to taking all the steps we can to minimize the risk of a similar incident occurring again in the future.

Thank you
Team ShopBack


FAQs In This Post

How do I close my account? Do I need to wait until Monday to get my account closed?
Please email [email protected] and the team will help you out. You won't need to wait until Monday.

How long will it take to close/delete/deactivate? Can I recover my account?
It will take us up to 48 hours to close/deactivate/delete your account after receiving your request. We will not be able to reinstate/restore or retrieve any information (this includes cashbacks associated with the account).

Can I still get my cashback after closing my account? What about pending cashbacks?
In order to ensure that you receive your cashback, you will need to request for a cashout and confirm that you have received it before submitting a request to close/delete/deactivate your account. Cashbacks that have not been confirmed will not be able to be processed. You will not be able to cashout pending cashbacks after they become confirmed as we will not be able to track and link them to you once we have deleted all your information.

I'm not receiving the password reset emails
Our systems are processing the requests and the emails will get to users soon (update: email services have been restored and functioning normally). Alternatively, you can also reset your password by clicking on "Update Password" under https://app.shopback.com/account.

Related Stores

ShopBack AU
ShopBack AU
Marketplace

Comments

  • Merged from Shopback Data hack? Time to stop using?

    Just got this in the mail couple minutes ago.

    "We know the trust you place in us to safeguard your personal information which is why we’re reaching out. A few days ago, we became aware of an incident involving unauthorised access to our systems which contained our customers’ personal data. We are currently confirming which data has been compromised.

    As soon as we became aware of the issue, the unauthorised access was removed. We immediately initiated an investigation and engaged leading cyber security specialists to assess the extent of the incident and to further enhance our security measures. We are also collaborating with relevant authorities.

    To date, we have no reason to believe that any of your personal data has been misused, however the possibility still exists. What we can assure you of is that your cashback is safe, we do not collect credit card details, and your ShopBack account password is protected by encryption.

    You may continue to access your ShopBack account and use our services as business operations have not been affected by the incident.

    We understand that this incident might raise some questions for you, and in this regard, we have established a dedicated email address, [email protected], if you would like to contact us. Please also refer to the customer FAQs on our website which has further details. "

    Looks like it might be time to switch back to cashrewards and set up new emails

    • +48 votes

      When you uninstall the Shopback button from Google Chrome remember to make it count:

      1. Go to the 'Customise and Control' menu (top RH side)
      2. 'More Tools' —> 'Extensions'
      3. Find 'Shopback Button - Cashback & Coupons' and click on REMOVE
      4. Tick 'Report Abuse' and click on REMOVE
      5. Select the radio button next to "Has other issues – please describe in comments"
      6. Write or paste something in the comments, and submit, to the effect of the following:

      "Confirmed data breach (25Sep20) of the company site resulting in the loss of customer data. Company has failed to protect the privacy and legal rights of users in contravention of clause 4.3 of the Google Chrome Web Store Developer Agreement"

      • Done good call out OzDJ_

      • Removed. Understand now based on what's been leaked.

        • +40 votes

          The last 20 years of my life have been in consumer affairs management, including privacy and identity protection. I care about this stuff.

          There is no room for complacency or apologising for sloppy data protection. You can cancel a credit card number, but you can't change your date of birth, nor easily change your name. I've seen the impact of ID theft and financial fraud is, in many ways, the least of our worries.

          That's what's driving it.

          • @OzDJ_: and in some states like WA, you can't even change your driver's licence number if you've been a victim of ID theft.

            • @tdw: Great call-out.

              There have to be extraordinary circumstances to do so. NSW is a case in point, where the massive Service NSW data breach from March this year is currently being remediated. Unless you are in immediate or likely physical harm (eg a person in witness protection) as a result of the breach, you will get a licence reprint (ie new card number but same licence number) instead of a more expensive/complex licence reissue or (new card number and new licence number).

              The govt-issued details from your driver's licence or passport are GOLD for identify thieves. Think twice the next time you blindly hand over your licence as ID at a pub/club. Have a read of their privacy policy about where any images of that card are stored - by who - where - and for how long.

              • @OzDJ_: i don't go to pubs and clubs anyway (a lot of them are owned by dodgy people), but a while ago, i had a proof of age/photo card done for claiming birthday freebies and doing click & collect orders. and since i'm paranoid about losing or someone stealing my driver's licence, i leave that at home. yes, i've been pulled over many times and police never took an issue with me just handing over my proof of age card.

                but every now and then, i'll get some blowback by ignorant shop staff who claim to have never seen a proof of age card or somehow thinks it's not a legit photo ID. sometimes they'll go, "oh but we need to see your address." but i always have my PO box as the order's billing address so seeing my residential address wouldn't help them much anyway.

                someone here once advised to tape over the address section of your driver's licence for order pick-ups and stuff, and that's good advice, too.

              • @OzDJ_: We went to an RSL once for lunch and they asked for everyone drivers licence and scanned them at the door on a computer.

                • @GerrardLFC: I don't think that data is available online. Probably on a local server.

                  • @Orico:

                    I don't think that data is available online. Probably on a local server.

                    Is that local server connected to a network? Is that network connected to a device that IS connected to the internet? Then that local server is connected to the internet. It may not be easy/convenient to get to, but it can be got to. Go web search some of the stuff people have/can do to hack computers remotely, some of it is wild.

                    Once someone has your data, you have no way of knowing what they are doing / going to do with it.

                    • Bad data storage practices
                    • Bad backup storage practices
                    • Bad security (computer, network, physical, …) practices
                    • Changing privacy policies
                    • Company sales / acquisitions
                    • Data sale

                    Very little data is needed to identify you - if we can identify every 3-metre square on the planet with three words, how many words do we need to identify you? 33.

                    33 pieces of information is enough to identify every single person on the planet (at least until we're past 8.5 billion, then it's only 34 pieces until we get past 17 billion people). And realistically it can probably be done with less.

                    How many pieces are you giving away?

          • @OzDJ_: Can you please advise what to do about this situation: https://www.ozbargain.com.au/node/567275?page=2

            I haven't seen any acknowledgement of the issue by the business and people are saying their social posts are being deleted

      • Nothing in extentions. also my email address isnt on their system when i went to reset pw? i dont even think im with them. I did buy something other day so maybe thats what it was, i think telstra sim.

        • Interesting. Did you receive a notification email from them?

          • @OzDJ_: Yes and had my name right so its weird, I vaguely remember at checkout seeing shop back. But ive only brought 3 things 1. kogan 2. telstra sim. the last few weeks. So perhaps one of them uses shop back?, either way i hate to think i entered my details and they have it. Is it for shop back accounts only?, like you have to log into this company?.

            Dear Xxx right name. ,

            We know the trust you place in us to safeguard your personal information which is why we’re reaching out. A few days ago, we became aware of an incident involving unauthorised access to our systems which contained our customers’ personal data. We are currently confirming which data has been compromised.

            I put a temp block on card for now bank. I can unblock it once i think its safe.

            • @whosyourbuddha: Ahh….so you might have used Shopback via a means other than a browser extension.

              Anyway - sounds like you're doing whatever you can to protect yourself. It's really easy to feel completely powerless when you're a victim of a data breach but taking practical steps to protect yourself and raise awareness/action with others is great.

              Stay vigilant. Good luck.

            • @whosyourbuddha: when i go to log into shop back.
              We couldn't find an account created with @gmail.com. Please check the email address, or sign up for an account.

    • Recommend leaving a Google Play review as well. They are still highly rated on the Play Store, and there could be future victims who are unaware of the data breach.

  • +13 votes

    WTF

  • Damn, expect a lot of spam and scam calls.

  • Today I got a SMS from a credit check company containing an activation code, and just before this Shopback email a spam/scam email from 'OfferConnector' which contained my surname for a Woolworths gift card. Not happy about it, and expect there will be more to come..

  • No wonder I've been getting so many spam emails.

    • Not sure if related but yes, lately (last week) more phone, txt and email spam/scam.

      • Damn, me too :(

      • I've definitely been getting a lot more phone call/sms spam in the last few weeks since this breach.
        I saw the email, changed my pw, and forgot about it. But reading about it again now, I'm almost totally sure this is the origin of all that spam.

  • I tried changing my password but I haven't gotten my password reset email yet. And yes I've checked my spam folder.

    A little bit of transparency would go a long way to regain the trust of customers, specifics about what happened would be helpful.

  • Have this been reported to ACSC or other authority?

  • Has the breach been reported to OAIC?

  • your ShopBack account password is protected by encryption.

    Can you confirm whether passwords are stored as one-way salted hashes, or as just encrypted? The former is how you are supposed to store passwords, the latter is awful practice that exposes all passwords if a key is comprised (which is likely if there is an intrusion).

    • +25 votes

      I don't know what you just said, but "one-way salted hashes" sound delicious.

    • +5 votes

      Yes user passwords are encrypted by hashing with a salt.

      • -13 votes

        That's not enough information. Is it PBKDF2, Bcrypt etc

        • Not knowing what the hash schema used to hash the passwords was adds significant complexity to the password cracking operation. Not disclosing this information is in your best interest.

          • @StingyJoe: Security by obscurity is not security. Often you can tell if Bcrypt is being used due to the $ that is appended. With other hashing algos you often know as well as they are so damn weak.

          • @StingyJoe: I'm surprised I got neg'd here. It is very commonly known in the infosec world that obscurity is not security and it would be ideal to know whether the password storage hashing is adequate. Refer to well known people in the infosec world like Scott Helme. https://twitter.com/Scott_Helme/status/1016224286649053184

            • @machej: Hi @machej.

              Bad luck with the negs, I agree with you, security through obscurity is not real security. That being said, there is no denying that obscurity makes the cracking process much harder and every minute gained gives more people a chance to respond to a breach. Without access to the source code of a program that created the hashes, it can be a VERY time consuming operation to find the right hash combination if anything other than a easy to identify hash schema was used.

              Consider for example the following hash: 0000000B84FF762C88DG6E16F324269EFCA186FA

              If given to a classic cracker such as John the Ripper to crack without specifying a type, you'll get the following response:
              Warning: detected hash type "raw-sha1", but the string is also recognised as "raw-sha1-linkedin"
              Warning: detected hash type "raw-sha1", but the string is also recognised as "raw-sha"
              Warning: detected hash type "raw-sha1", but the string is also recognised as "raw-sha1-ng"

              John will attempt to crack the password as "raw-sha1" but it could be wrong and you'll have to start over on a new hash type again.

              The same hash into hashcat-plus, complains about the hash length and prompts you to specify a hash type. You can specify SHA1 based on your gut feel but there are numerous permutations available that could mean a endless amount of time wasted if you choose wrong. E.g. Hashcat gives the following options for SHA1

              100 = SHA1
              110 = sha1($pass.$salt)
              120 = sha1($salt.$pass)
              130 = sha1(unicode($pass).$salt)
              140 = sha1($salt.unicode($pass))

              There is a real community contributing to solutions for this problem but in the end, knowledge of the application creating the hash is still invaluable to speed up the cracking process. Example projects:
              https://code.google.com/archive/p/hash-identifier/
              https://www.onlinehashcrack.com/hash-identification.php

              • @StingyJoe: Often there is an indication of what hashes are being used. Of course dependent on what systems were breached and how savvy the hackers were. If you take the hash out of the context I totally agree it could help slightly speed things up by disclosing it but I'd like to hope Shopback didn't ignore basic security protocols and used the latest PHP, kept dependencies up to date and therefore you'd expect some level of competency from the hacker.

                Upon a quick check, Shopback does seem to allow very weak passwords so even in your example of 3 potential hash opportunities to select from it seems plausible that a result would be found within a week for a weak password. (eg. Shopback123) Keep in mind salting doesn't mean it takes much longer to find an individual password, merely makes it harder to use a rainbow table. Therefore you could use a bit of logic to try and pinpoint weaker passwords to work out the hashing algo. I won't go into the ins and outs of how but it's publicly available.

        • Nice try Mr. Hacker! You're not getting my $0.55 sitting in the account…

      • Encrypted is different to Hashed. Hashes can't be recovered if the hashing algorithm is a modern one that hasn't been compromised yet and a salt is applied. Asking us to email "[email protected]" for these details are not good enough, and the FAQ page includes nothing about which "leading cyber security specialists" have been engaged.

      • Regardless of how your details are stored, not forcing a password change on all accounts as a precautionary measure is amateur hour stuff.

  • big YIKES

  • This is fu*ked!
    They mention they were made aware of this breach on the 17th September, so it occurred some time before then.

    I joined up after the 17th, just a couple of days ago. Now, shouldn't this have been brought to my attention at some point in the signing up procedure?! Surely they are obligated to do so?

    Not happy.

    • -2 votes

      Immediately after we became aware of the issue, we took necessary steps to address the incident, and to secure our customers’ accounts and system. This had to be our first priority.

      • That's why you immediately forced a password reset on all accounts, right?

      • That might have been your first priority, but having something in place preventing pseople from signing up during this period or at the very least had a pop-up message advising of the security/data breach.
        That would take no time at all and should have also been an IMPORTANT priority.

        Not even an apology for the stress and uneasiness this has caused…. Just more excuses.

        Not to mention the generic copy and paste email response I got too. Seems to be a real theme appearing here with this company. 😏🤥

  • +49 votes

    Dear Shopback

    1. Email snuck-out at 10.00pm AEST on a Friday night? slow clap
    2. Screw you.
    3. Name, date of birth, bank BSB and acct number….and no offer of paid access to an ID theft monitoring service?
    4. "…we do not collect credit card details…" That is the bank's money at risk you bunch of Muppets.

    (Feedback directed to the company and not intended as a personal attack)

    • Also suggesting you may change your password. It should be forced when signing in.

      • Yep. Now - for your next mission….try to cancel your account with them.

        • Sigh


          I am no longer interested. How do I deactivate my ShopBack account?
          Oh no! We are sorry to see you go.

          Please be advised that once the account has been deactivated, you will no longer be able to use the same email address and phone number to create any new accounts under ShopBack.

          If you would still like to proceed, do reach out to our friendly live chat agents here and we will help be more than happy to help you. We are available from Mon to Fri, 10.30AM - 8.30PM AEST, excluding Public Holidays.

    • did you fill those Gender, Date Of Birth, Address Line, Postal code ? I have only added full name, email address, password, phone number, paypal details

      • I can't remember what details I had to give them when I opened an account. Under account information it's only showing name, email & mobile, the rest are blank. I haven't cashed out yet.

        • better to cashout now.

        • You still don't have to provide all details to cash out.

          I've cashed out and only provided FN (not even my real one), Mob#, Ofc Email & Bank Account.

          No LN, Gender, DOB or address.

          • @Godric: Yeah, but that'll be after the fact which all over now so you should be safe now entering your details to withdraw all your cash…..however low it is….

      • Luckily I didn't put in my gender, dob, address. Just changed my password for now. But still, major fk up from Shopback.

      • +1 vote

        i've never added my full name or anything but email, mobile number and bank details.

        but that's way too much data already.

    • I had a quick look, I have never input my DOB/address etc, not sure why I would/why they would need the info anyway? Bank Account and BSB, name and email were all they had.

      Looks like I used Facebook login as well, didn't actually have a password to change.

  • +27 votes

    Shopback has our name, email, mobile number, and bank account details stored. I am genuinely worried.

  • Time to boycott