ShopBack Data Breach

Store Repgotyourback @ ShopBack AU on 25/09/2020 - 22:13
Last edited 25/04/2021 - 18:37 by 4 other users

13 Nov 2020 (Update)

Several hours ago, we became aware that a party has made available online our customers’ data, which was taken during the unauthorised access to our systems back in September.

We are acutely aware that this may cause you further inconvenience and are deeply sorry for this. As mentioned in our previous communications to customers, your cashback is safe, and your passwords are hashed with a unique and dynamic salt. This data does not contain any credit card details, and ShopBack does not store your 16-digit card number or CVV on any of our systems.

We want to reassure you that we have further enhanced our security measures since September; taking the following steps:

  1. We have verified the removal of unauthorised access and ensured that our systems are now in line with intended configurations.
  2. We have further improved the storage of our unique salted passwords by encrypting using a separately stored 'pepper'.
  3. We have partnered with Crowdstrike, a world-class endpoint security and threat intelligence platform, to monitor for suspicious activity across all our systems.

In the coming days as a precautionary measure, we will be triggering a forced logout and password reset of customers’ ShopBack accounts.

We have also rolled out a self deletion feature on our site to give our customers the ability to delete their accounts quickly and easily themselves without the need to contact ShopBack. See this how to link to self delete your account. We can also continue to assist customers with deleting an account if this is their preference.

Meanwhile, our investigation is still ongoing and we continue to cooperate with the Office of the Australian Information Commissioner.

We thank you for your continued support and we will continue to release further updates. Please reach out to [email protected] if we can help out at all.

26 Sep 2020

Hi guys,

We know the trust you place in us to safeguard your personal information which is why we’re proactively writing this up. A few days ago, we became aware of an incident involving unauthorised access to our systems which contained our customers’ personal data. We are currently confirming which data has been compromised.

As soon as we became aware of the issue, the unauthorised access was removed. We immediately initiated an investigation and engaged leading cyber security specialists to assess the extent of the incident and to further enhance our security measures. We are also collaborating with relevant authorities.

To date, we have no reason to believe that any of your personal data has been misused, however the possibility still exists. What we can assure you of is that your cashback is safe, we do not collect credit card details, and your ShopBack account password is protected by encryption.

You may continue to access your ShopBack account and use our services as business operations have not been affected by the incident.

We understand that this incident might raise some questions for you, and in this regard, we have established a dedicated email address, [email protected], if you would like to contact us. Please also refer to the customer FAQ on our website which has further details.

While your password is encrypted, you may wish to change your ShopBack account password, and we suggest that you do not use the same password on other digital platforms.

We recognise that this is unsettling news and we are deeply sorry for any inconvenience this might cause you. The security and privacy of our customers is of utmost importance to us, and we commit to taking all the steps we can to minimize the risk of a similar incident occurring again in the future.

Thank you
Team ShopBack

FAQs In This Post

How do I close my account?
See this 'How To' link.

How long will it take to close/delete/deactivate? Can I recover my account?
It will take us up to 48 hours to close/deactivate/delete your account after receiving your request. We will not be able to reinstate/restore or retrieve any information (this includes cashbacks associated with the account).

Can I still get my cashback after closing my account? What about pending cashbacks?
In order to ensure that you receive your cashback, you will need to request for a cashout and confirm that you have received it before submitting a request to close/delete/deactivate your account. Cashbacks that have not been confirmed will not be able to be processed. You will not be able to cashout pending cashbacks after they become confirmed as we will not be able to track and link them to you once we have deleted all your information.

I'm not receiving the password reset emails
Our systems are processing the requests and the emails will get to users soon (update: email services have been restored and functioning normally). Alternatively, you can also reset your password by clicking on "Update Password" under https://app.shopback.com/account.

General Discussion

Related Stores

ShopBack AU
ShopBack AU
Third-Party

Comments

      • Yummy on 25/09/2020 - 22:57
        +2

        Karen did it. +1

      • Store Repgotyourback @ ShopBack AU on 25/09/2020 - 23:00
        +36

        We have don't have an option to neg comments

      • [Deactivated] on 25/09/2020 - 23:00
        +1

        Same happened to me. IDGAF. It's just the resident trolls trying to get you to bite. Sigh.

        I've just spoken to my bank which will help be sleep a little better tonight.

        • nosrad on 25/09/2020 - 23:02

          My bank call centre is closed. Won't open until 8 am tomorrow morning. Thank you for emailing us this late!!

        • Skinnerr on 28/09/2020 - 18:21

          Are you ok mate? You seem awfully worried this.

      • tdw on 26/09/2020 - 01:50
        -1

        keep commenting. whoever's negging you will run out of negs eventually ;)

  • dingdong3000 on 25/09/2020 - 22:30
    +9

    Time to boycott

    • [Deactivated] on 25/09/2020 - 22:41
      +4

      100% sh*tlisting treatment.

      Like Catch of the Day - another company that didn't appropriately protect customer data.

    • tdw on 26/09/2020 - 01:52
      +1

      been doing that since my $10 chemist warehouse intro bonus never materialised. in hindsight, i should've deleted my account back then.

      • RSmith on 26/09/2020 - 06:45
        +4

        You might delete your account but the details still stay in the database.

        • tdw on 26/09/2020 - 07:43

          so there's no guarantee that even after we email shopback on monday morning to delete our accounts, that they're well and truly deleted

          • RSmith on 26/09/2020 - 15:45

            @tdw: That's correct. Deactivation <> deletion.

            • lockmc on 26/09/2020 - 19:14

              @RSmith: It will literally be a value in a database change. IsActive will change from a 1 to a 0. Your data will still be there.

              • RSmith on 26/09/2020 - 19:15

                @lockmc: Exactly.

                I have worked in IT for as long as I can remember. Data is never deleted.

                • lockmc on 26/09/2020 - 19:19
                  +2

                  @RSmith: I work in digital and can concur…. Data is never deleted. GDPR does slightly change things.

                  Deleting data is much more technically challenging that flipping a soft delete flag in a db, so it is never done.

                  • RSmith on 26/09/2020 - 19:28

                    @lockmc:

                    Deleting data is much more technically challenging that flipping a soft delete flag in a db, so it is never done.

                    That's absolutely right. Somehow companies love to keep the data. Either in the database or in the logs. Deletion of data is usually never done.

                • Zachary on 27/09/2020 - 22:42

                  @RSmith:

                  Data is never deleted.

                  It is if you do it properly - press the delete button….not that hard to delete….and dont lie about it either, because then you didnt really delete it now did you?

                  • RSmith on 27/09/2020 - 23:41

                    @Zachary: Once it's in the database, you don't delete it by pressing the delete button key.

                    • Zachary on 17/10/2020 - 18:37

                      @RSmith: …so how does one delete then if you dont delete it by pressing the delete key or button?

                      • RSmith on 17/10/2020 - 18:54

                        @Zachary: Delete from <table name> where username = 'zachary'

                        • Zachary on 06/11/2020 - 02:17

                          @RSmith: why would i delete myself?

                        • RSmith on 06/11/2020 - 06:50

                          @RSmith: So you seem okay with your data being stolen. Nice.

                          • Zachary on 09/11/2020 - 13:54

                            @RSmith: well…its a bit too late for that if the hackers already got my name…..

                            • RSmith on 09/11/2020 - 13:58

                              @Zachary: At least you learnt the SQL to delete the data ;)

                              • Zachary on 10/11/2020 - 11:03

                                @RSmith: Can you teach me some more SQL? I wanna make a database….an unhackerable database…..

                                • RSmith on 10/11/2020 - 11:58

                                  @Zachary:

                                  an unhackerable database…..

                                  Start by working on the terminology.

                                  • Zachary on 27/11/2020 - 17:19

                                    @RSmith: So…you cant have a unhackable database?

                  • Chandler on 29/09/2020 - 10:43

                    @Zachary:

                    not that hard to delete

                    Is it but?

                    Did you also delete the data from yesterday's backups?

                    How do you even delete data from a backup?

                    What about Sunday's backup? And Saturday's? Fridays? Thursday's? Wednesday's? Last Week's?

                    Oh and last Month's? Last Quarter's? The last Biannual? Last Year's?

                    How many backups do we have again?

                    Oh and don't forget any disk images! (don't ask me how you even delete specific data from a disk image, apart from maybe restore, delete and then re-image?)

                    • Zachary on 17/10/2020 - 18:39

                      @Chandler: Ahhh yes….the backups….that would take a while to siff through…..unless you wanna go lazy and only delete the current database and leave the old database backup as is and newer backups with have the changes in place…and then eventually you'll delete the old backups because it takes too much room…..

          • [Deactivated] on 27/09/2020 - 08:44
            +7

            @tdw: There actually is a guarantee that they don't delete them - from their FAQ: "Please be advised that once the account has been deactivated, you will no longer be able to use the same email address and phone number to create any new accounts under ShopBack" which means they must keep the email address and phone number so that they can prevent you signing up again.

            But that doesn't match up with their claim in this OP.

        • Telios on 01/10/2020 - 14:46

          This is exactly what it appears to be doing, the notice says "you won't be able to use this email address again etc"

          Which is usually indicative of a database line being marked to overwrite…but until then good luck.

      • subywagon on 26/09/2020 - 09:38
        +2

        I've had various cashbacks not appear too. Does this mean they were probably keeping the cashback amounts for themselves?

        • tdw on 26/09/2020 - 14:39
          +1

          i wouldn't be surprised.

  • nubzy on 25/09/2020 - 22:31
    +15

    It is very worrying. Someone tried to do a credit check using my details. Whether they were able to get any further I dont know as the activation SMS came to me, and I ignored it. But this is all very concerning.

    • machej on 25/09/2020 - 22:47
      +5

      Not sure why you got neg'd for this post. A mobile phone number, full name, address, bank account is a fair wad of information and that could be plausible.

    • [Deactivated] on 27/09/2020 - 08:47
      +2

      A credit check? That shouldn't be - the CRAs require positive ID (government issued, including D/L, Passport, Medicare) to do that which I sure as hell hope ShopBack doesn't have. More likely is the SMS you got was actually an attempt to get you to add more information to what they already have by getting you to go online and "prove your identity" to "report a fraud attempt".

  • lazydaisy on 25/09/2020 - 22:33
    +25

    not happy with this mob either, changed my password as soon as I saw the breach, then decided to delete account (not something I use anyway), guess what….. to delete account I need to phone and office hours are Mon to Fri, 10.30AM - 8.30PM AEST, they have deliberately sent emails on a friday night to minimise people deleting accounts

    • Store Repgotyourback @ ShopBack AU on 25/09/2020 - 22:46
      -15

      You can reach out to us at anytime through our dedicated email address [email protected].

      • lazydaisy on 25/09/2020 - 22:48
        +54

        We can sign up online, why cant we delete our accounts online?

        • bazingaa on 25/09/2020 - 22:58
          +7

          Yes, at least provide a "delete account" button like CB does.

        • Zachary on 27/09/2020 - 22:43

          oooooh, he's not replied back….

        • Telios on 01/10/2020 - 14:49

          They apparently lack a proper IT security team, so maybe we should all be signing up new accounts as little timmy droptables :D

  • skido on 25/09/2020 - 22:34
    +21

    the email is super vague, but when you click into their FAQ, they provide more details. incident actually occured over a week ago (17th September). "a few days ago" my ass.

    • lazydaisy on 25/09/2020 - 22:54
      +3

      yep we should have got this email a week ago, thanks for leaving us exposed for a week longer than we should have

        • [Deactivated] on 25/09/2020 - 23:50
          +9

          Our highest priority is the security of our customers’ data.

          I'm trying not to choke on my pretzels right now.

          As soon as we became aware of the issue…we….engaged leading cyber security specialists to identify and plug immediate vulnerabilities, support ongoing investigations, and fortify our security infrastructure…"

          You could have done that BEFORE a hacker peeled-open your network perimeter like a can of baked-beans, you know?

          and implemented additional authentication processes for all employees.

          This is an interesting disclosure. Noted.

          • Amaris on 26/09/2020 - 09:46
            +5

            @[Deactivated]: Inside job?

            • [Deactivated] on 26/09/2020 - 18:02
              +1

              @Amaris: I will wait and see what the OAIC has to say and not make any assumptions.

              But the comment around "additional authentication processes for all employees" makes me wonder if it was a pure tech hack or whether there was social engineering at play (eg a spearphishing attack).

              I don't think it's helpful to speculate on the cause, but I do note that a number of Shopback employees/contractors have their own personal information (name, address, phone number, photos, employment history etc) wide open on the internet.

              • [Deactivated] on 27/09/2020 - 09:55
                +4

                @[Deactivated]: I'll just note that their website is stuck behind Cloudflare and has been since at least a year ago, and they did remove the direct host entry from Cloudflare DNS. Given Cloudflare hides the actual location of the server, and is a WAF, that should in theory rule out a direct attack on the server or something dumb like SQL injection, leaving behind the ever popular social engineering.

          • lgacb08 on 26/09/2020 - 16:57
            +1

            @[Deactivated]: I haven't read into dettails but for company like this it's more of the case of inside employee extracting the bunch of data and on sale it to other parties.

            • [Deactivated] on 26/09/2020 - 18:05
              +1

              @lgacb08: Possible, of course.

              Their customer service staff are based in Malaysia. Trying to find out if they are employees or contractors. Plenty of vectors for an attack when data is moving overseas, of course.

          • Zachary on 27/09/2020 - 22:52
            +1

            @[Deactivated]:

            This is an interesting disclosure. Noted.

            Thought there was like only two guys behind the whole busines setup……is there more than two people?

        • [Deactivated] on 26/09/2020 - 14:01
          +3

          Will you be notifying us exactly what data was accessed? ie. You said: "we have no reason to believe any of your personal data has been misused"…. But "not misused" doesn't mean "not accessed". It almost sounds like: "They probably accessed your data but we have no reports yet of it being misused."

          You also said: 1) "your cashback is safe", 2) "we do not collect credit card details", and 3) "your ShopBack account password is protected by encryption". I'm sure most people would like to know what was accessed (once you know). eg. If it was just our email address then who cares. I've used gmail for years and while there's always spam in the spam folder, I only recently began receiving spam from one place that reaches the inbox. But if it was our name and D.O.B. there's definite cause for concern.

    • payton on 25/09/2020 - 23:19
      +11

      On 17 September 2020, we became aware of an incident involving unauthorised access

      Nope, they became aware on 17th, breach could've happened a week earlier than that date, a fortnight, a month?
      Depending on how often they audit/check for irregularities?

      • skido on 25/09/2020 - 23:24
        +2

        great, so it's possibly been even longer since the incident happen 🤦‍♂️

      • [Deactivated] on 25/09/2020 - 23:34
        +3

        breach could've happened a week earlier than that date, a fortnight, a month? Depending on how often they audit/check for irregularities?

        This person gets it.

    • Zondor on 26/09/2020 - 08:32
      +1

      Honestly, it does take a week to determine the scope of the breach. This is pretty normal.

      • Zachary on 27/09/2020 - 22:54

        I think he's problem was that he was not made aware on the same day they were made aware of the breach….

    • Zachary on 27/09/2020 - 22:45
      -1

      "a few days ago" my ass.

      Actually a few days ago is actually 3 - 7 and a week is 7 days so is within acceptable limits? Unless you meant a couple of days ago, in which case yes it would be "my ass" comment coming from you?

      • skido on 27/09/2020 - 22:48
        +2

        17th September is when they were aware of it. 25th September is when they sent out the emails stating they were aware of it "a few days ago".

        25-17 = 8

        Is that clear enough for you?

        • Zachary on 27/09/2020 - 22:55
          +1

          Ah yes, you're right; my apologies good sir.

  • machej on 25/09/2020 - 22:43
    +7

    I'd suggest everyone to get free credit reporting to ensure no credit is applied for in your own name. Use a password manager (plenty are free). Never use the same password on the same site and ensure you delete all information you don't require for your shopback account. Only input your bank account for the short period you need to in order to cash out or use a bank account that has no cash in it most of the time such as a free neobank that you don't use. Let's say Volt.

    • Zachary on 27/09/2020 - 22:56

      I'd suggest everyone to get free credit reporting to ensure no credit is applied for in your own name.

      If you dont have a credit card, thats not applicable…

  • Quantumcat on 25/09/2020 - 22:53
    +2

    I can't change my password???

    I get this error after tapping change password: https://ibb.co/dtYzD7S

    • lazydaisy on 25/09/2020 - 22:55
      +1

      I changed mine

      • Quantumcat on 25/09/2020 - 22:55
        +1

        You didn't get that error, or you figured out how to get around it?

    • Store Repgotyourback @ ShopBack AU on 25/09/2020 - 22:56

      Your app looks outdated - you can update it and try again, or alternatively reset it through https://shopback.com.au/forgot?b=1

      • Quantumcat on 25/09/2020 - 22:57
        +2

        Thanks I will try that
        Edit - was able to submit new password request but no email yet. Hopefully comes through.

        Shame on shopback for not notifying your customers sooner and/or changing all their passwords for them. No doubt the hackers have already downloaded the contents of all your databases now and there's hardly any point changing our details. If shopback had acted sooner this might not have been the case.

        • Store Repgotyourback @ ShopBack AU on 25/09/2020 - 23:31
          -1

          If you still haven't received it, please email [email protected] and the team will help you out.

          Our highest priority is the security of our customers’ data. As soon as we became aware of the issue, the unauthorised access was removed. We immediately initiated an investigation and engaged leading cyber security specialists to identify and plug immediate vulnerabilities, support ongoing investigations, and fortify our security infrastructure.

          For example, we have validated our security plan with both internal security and external auditors and implemented additional authentication processes for all employees.

          We recognise that this is unsettling news and we are deeply sorry for any inconvenience this might cause you.

          • FrugalNotStingy on 26/09/2020 - 02:10
            +2

            @gotyourback:

            we have validated our security plan with both internal security and external auditors and implemented additional authentication processes for all employees.

            This is a piss-poor effort trying to mitigate the problem. It’s like installing a door lock only after your house got burgled because you have left your front door wide open.

            • Zachary on 27/09/2020 - 22:59

              @FrugalNotStingy: Just leave the door open, nothing to lose now, if it's all gone now…

      • shaun-o on 25/09/2020 - 23:12
        +2

        It's not working!

        Edit: just got the email to reset.

        Poor form notifying us this late.

  • Pink Lavender on 25/09/2020 - 22:54
    +30

    Dick move by the company - emailing late at night on a Friday

    Not mandating password changes

    Not notifying customers asap + lying
    over a week ago is not 'a few days ago'

    Will be cancelling my account - but guess what
    Can't cancel online on a Friday night

    • lazydaisy on 25/09/2020 - 22:58
      +9

      yep, agree!!!!
      they will have a lot of account deletions next week, was a dumb strategic move on their part, they should have told us last week, so we could minimise our exposure

    • Store Repgotyourback @ ShopBack AU on 25/09/2020 - 23:02
      -8

      You can reach out to us at anytime through our dedicated email address [email protected].

      • PopCounty on 26/09/2020 - 00:52
        +2

        So this is the typical response we gonna get henceforth, aren’t we?

        • [Deactivated] on 26/09/2020 - 09:45
          +2

          They take your privacy very seriously though. That has to count for something, right? 🤣

          • GrueHunter on 26/09/2020 - 11:46
            +2

            @[Deactivated]: Don't forget the leading cyber security specialists.

            Not regular cyber security specialists. Leading.

            (Apparently those specialists weren't available when they were setting up in the first place but thoughts and prayers work just as well right?)

            • [Deactivated] on 26/09/2020 - 13:33
              +1

              @GrueHunter: Yes mate. Thoughts and prayers. 😔

  • umoddbro on 25/09/2020 - 22:55
    +18

    I got a lot of spam calls these past few days. Absolute shocking, also timing this email on a Friday night so no one notices. Wow just wow.

    • Clear on 25/09/2020 - 23:32
      +6

      Must admit I have too. A lot of them speaking Mandarin even.

      • steven6 on 25/09/2020 - 23:45
        +1

        I had a call from +61419945875 on the 12th and from 0243816372 on the 14th September and they were in Mandarin. 1st time I've had those types of scam calls.

        • Clear on 25/09/2020 - 23:51
          +1

          Was only today for me. Lady spoke in Mandarin and then silence.

      • [Deactivated] on 26/09/2020 - 07:42
        +2

        Mandarin eh? This explains a missed call I had earlier in the week and the following message received. Telstra always converts to text, even for a message received on noisy as streets/in noisy cars…

        “You missed a call from 0417834048, who left a message that could not be converted to text. This message was provided by Telstra at no charge to you.”

    • bazingaa on 25/09/2020 - 23:58

      If the number is unknown to me, I usually don't speak first until they do. For most spam calls (specially robocalls), the line gets disconnected if I don't speak first. May be they are waiting for our voice input to proceed by making sure that receiver is a human, not a machine or voicemail system.

      • Zachary on 27/09/2020 - 23:02

        May be they are waiting for our voice input to proceed by making sure that receiver is a human, not a machine or voicemail system.

        Mess with them by speaking in the most robotic monotonic tone you can. "Hello, bazingaa here, sorry this person is not available, please leave a message after the beep. [BEEP]"

    • jaffar on 26/09/2020 - 01:52
      +7

      Have been getting a sleuth of spam calls starting just a few weeks ago. I wonder whether this is related.

    • Nebargains on 26/09/2020 - 16:21

      I doubt it is related honestly. I get spam phone calls all the time, including automated ones in a foreign language mentioned in this post and I have never signed up on this Shopback site.

    • 42 on 26/09/2020 - 17:22

      same, out blue been getting spam SMS in last few days

  • bazingaa on 25/09/2020 - 22:56
    +6

    password aside, what are the information actually got leaked ? I have only added full name, email address, password, phone number, paypal details. All of them got leaked? Are we safe if we don't have bank account details and only paypal account? Should I delete paypal account as well?

    at least provide the data to https://haveibeenpwned.com/ so we can check.

    • Yummy on 25/09/2020 - 23:04
      +2

      1 breach on mine. ONE.

      I guess I know now where the problem from….

      • bazingaa on 25/09/2020 - 23:05
        +2

        for me it is yet "Good news — no pwnage found!" for email address used for SB

      • mctubster on 26/09/2020 - 12:35

        Unlikely to be shopback. I use unique addresses for every site and no breach currently registered

      • lockmc on 26/09/2020 - 19:24

        Not that it's a competition… But I have 14.
        All the big ones… LinkedIn, Adobe etc

    • Store Repgotyourback @ ShopBack AU on 25/09/2020 - 23:28

      Apart from your email addresses (or alternative login IDs) and limited transactional information ShopBack does not require you to provide information to us that is not related to our specific services or campaigns. As a result, we do not have additional data that you had not provided directly to us. Types of data that you may have provided to us could include your:

      • Name
      • Contact information
      • Gender
      • Date of birth
      • Bank account numbers (for customers who withdraw to their bank accounts)

      In cashing out to your PayPal account, we never collect nor store your PayPal passwords. Nevertheless you should be watchful for potential phishing attempts.

Login or Join to leave a comment
Login Join