ShopBack Data Breach

13 Nov 2020 (Update)

Several hours ago, we became aware that a party has made available online our customers’ data, which was taken during the unauthorised access to our systems back in September.

We are acutely aware that this may cause you further inconvenience and are deeply sorry for this. As mentioned in our previous communications to customers, your cashback is safe, and your passwords are hashed with a unique and dynamic salt. This data does not contain any credit card details, and ShopBack does not store your 16-digit card number or CVV on any of our systems.

We want to reassure you that we have further enhanced our security measures since September; taking the following steps:

  1. We have verified the removal of unauthorised access and ensured that our systems are now in line with intended configurations.
  2. We have further improved the storage of our unique salted passwords by encrypting using a separately stored 'pepper'.
  3. We have partnered with Crowdstrike, a world-class endpoint security and threat intelligence platform, to monitor for suspicious activity across all our systems.

In the coming days as a precautionary measure, we will be triggering a forced logout and password reset of customers’ ShopBack accounts.

We have also rolled out a self deletion feature on our site to give our customers the ability to delete their accounts quickly and easily themselves without the need to contact ShopBack. See this how to link to self delete your account. We can also continue to assist customers with deleting an account if this is their preference.

Meanwhile, our investigation is still ongoing and we continue to cooperate with the Office of the Australian Information Commissioner.

We thank you for your continued support and we will continue to release further updates. Please reach out to [email protected] if we can help out at all.


26 Sep 2020

Hi guys,

We know the trust you place in us to safeguard your personal information which is why we’re proactively writing this up. A few days ago, we became aware of an incident involving unauthorised access to our systems which contained our customers’ personal data. We are currently confirming which data has been compromised.

As soon as we became aware of the issue, the unauthorised access was removed. We immediately initiated an investigation and engaged leading cyber security specialists to assess the extent of the incident and to further enhance our security measures. We are also collaborating with relevant authorities.

To date, we have no reason to believe that any of your personal data has been misused, however the possibility still exists. What we can assure you of is that your cashback is safe, we do not collect credit card details, and your ShopBack account password is protected by encryption.

You may continue to access your ShopBack account and use our services as business operations have not been affected by the incident.

We understand that this incident might raise some questions for you, and in this regard, we have established a dedicated email address, [email protected], if you would like to contact us. Please also refer to the customer FAQ on our website which has further details.

While your password is encrypted, you may wish to change your ShopBack account password, and we suggest that you do not use the same password on other digital platforms.

We recognise that this is unsettling news and we are deeply sorry for any inconvenience this might cause you. The security and privacy of our customers is of utmost importance to us, and we commit to taking all the steps we can to minimize the risk of a similar incident occurring again in the future.

Thank you
Team ShopBack


FAQs In This Post

How do I close my account?
See this 'How To' link.

How long will it take to close/delete/deactivate? Can I recover my account?
It will take us up to 48 hours to close/deactivate/delete your account after receiving your request. We will not be able to reinstate/restore or retrieve any information (this includes cashbacks associated with the account).

Can I still get my cashback after closing my account? What about pending cashbacks?
In order to ensure that you receive your cashback, you will need to request for a cashout and confirm that you have received it before submitting a request to close/delete/deactivate your account. Cashbacks that have not been confirmed will not be able to be processed. You will not be able to cashout pending cashbacks after they become confirmed as we will not be able to track and link them to you once we have deleted all your information.

I'm not receiving the password reset emails
Our systems are processing the requests and the emails will get to users soon (update: email services have been restored and functioning normally). Alternatively, you can also reset your password by clicking on "Update Password" under https://app.shopback.com/account.

Related Stores

ShopBack AU
ShopBack AU
Third-Party

Comments

        • +1

          They do, I possibly provided it in the sign up or was needed to withdraw money

          • +1

            @indium: If it was due to Shopback I suspect I'd be getting more than most people but I'm not. My surname is in the first few letters of the alphabet, my email address starts with the letter 'a', and my phone number is on Shopback. I only get the occasional autodialler calls that I always did along with everyone else as scammers cycle through every mobile number in Australia. If anything I get less of those calls now than a few months ago.

    • How long until OzBargain is next haha

    • We already knew about September so their warning email in my inbox just made me panic over nothing lol.

  • +1
    Merged from ShopBack Data Breach Added to Firefox Monitor Last 21 April 2021

    I got an email notice from Firefox Monitor that Shopback had a data breach that was added to their list last 21 April. Anyone else who received it? Is it the same data breach from last year?

    • +2

      Same breach from last year.

  • +1

    Got this today, that's a real worry.

    Compromised data: Email addresses, Geographic locations, Names, Passwords, Phone numbers

    Description: In September 2020, the cashback reward program ShopBack suffered a data breach. The incident exposed over 20 million unique email addresses along with names, phone numbers, country of residence and passwords stored as salted SHA-1 hashes. The data was provided to HIBP by dehashed.com

  • +1

    New users incoming…. OzB first legit result in Google search…

    https://www.google.com/search?q=shopback+data+breach

  • +2

    ah well, the email was used just for shopback but the phone number was legit, I wonder if that is the cause of the phone calls from Seychelles/AbhuDabi/Columbo/Khazakztan/Barbados I had been getting.
    lesson learned I guess, shopback was not worth the $17 in rejected cash backs in/not in my account

  • Just got an email from mozilla confirming my account was compromised

  • Compromised data: Email addresses, Geographic locations, Names, Passwords, Phone numbers

    hmm, no dob?

    • +1

      Hmm, the original ShopBack announcement says DOB is in there (if you filled it out), along with bank account info (again, if you filled that out).

  • Merged from ShopBack 4.6million Dehashed Emails and Passwords Leaked Publically Online

    I was browsing reddit recently and found a forum where the full list of Shopback emails and password dehashed and leaked online freely! The leak is relatively old and has been up since January 26th but if you use the password anywhere else, a variation of your password or with any other emails change it now!
    I will not release the website as some people will still need to change passwords to other accounts.

    From Shopback:
    26 Sep 2020
    To date, we have no reason to believe that any of your personal data has been misused, however the possibility still exists. What we can assure you of is that your cashback is safe, we do not collect credit card details, and your ShopBack account password is protected by encryption.

    While your password is encrypted, you may wish to change your ShopBack account password, and we suggest that you do not use the same password on other digital platforms.

    We recognise that this is unsettling news and we are deeply sorry for any inconvenience this might cause you. The security and privacy of our customers is of utmost importance to us, and we commit to taking all the steps we can to minimize the risk of a similar incident occurring again in the future.

    • Yep we've known about this for a while. That's why you shouldn't repeat/reuse your password!

      • When did you find the txt file?

      • Was your email in it?

    • +1

      No ShopBack account here so all good.

      Everyone should use https://haveibeenpwned.com/ and see if any of your accounts or passwords and compromised and try something new.

      Tip: Most routers come with unique passwords like "Hangojimiri". Adapt those and add some numbers and symbols to create a strong one. Don't use common words and patterns.

      • -3

        I'm checking if I'm in the leak now

        Yeah I wouldn't trust haveibeenpwned too much, 4/7 password and emails pasted as samples in the post weren't found for pwnage maybe it only searches pastebin.

    • Please advise coordinates of rock you have been living under

      • You realise its news to me that the public txt file of all password and email is leaked? I'm not rereporting the breach Shopback said the data was encrypted when the breach happened and there is no thread on ozbargains.

        • That makes sense. Cheers

    • Im up to 15 breaches now woohoo!

      • 17 but haveIbeenpwned says no pastes

    • Many of us had our Spotify accounts targeted after this. But hey SB gave a few more bonuses and all is good again. Right?

      • What was the point of targeting Spotify (sorry, I don’t use it). Isn’t is just song playlists?

        • Spotify accounts with premium are worth $$$. Even though it's like $12 a month for premium.

        • The hackers have a list of types accounts they can try, spotify, netflix, disneyplus etc and the usual paypal, amazon, banking etc.
          They will try many different ways to monetise their password list.

          • @[Deactivated]: Any thoughts if they would use an automated process or is there someone out there looking at everyone's details individually?

        • What was the point of targeting Spotify

          The can access and copy your playlists.

          • @jv: Damn it, JV. Stay out of my Spotify playlists.

            • @DoctorCalculon: Notified by Spotify of multiple attempts to log in, related to the same email used for ShopBack. Same attempt at Instagram. Stay safe kids and change your login email and PWs.

              • @Sans-Serif:

                related to the same email used for ShopBack

                How many other places have you used the same email address other than Spotify and ShopBack?

                BTW, have you been harassed by a scam company called "Mentors Arena Education" - by phone and email following the SB hack?

                • @DoctorCalculon: A few places but Haveibeenpwned showed me that the SB was the most recent since 2016 and I have had nothing like this before. Nothing phone wise but I usually pass them onto my mate tone…

  • The email I used for shopback has been getting extra spam emails for the last 2 weeks, anyone else same?

    • Been happening ever since the breach. I've had this email address that I signed up to SB with for more than a decade now and received literally 0 spam during this entire time (dunno if it was due to the name or whatever).
      Now I get about 20-30 a day in the spam folder, which is a drastic increase from the initial couple I'd gotten per day soon after the breach.

      • Exact same thing happening to my email spam folder. Everyday get so many spam emails. Good thing it goes straight to spam

        • Finally tapered off a bit, back to only a couple a day now. Was wondering why it was taking google so long to adjust its spam filter algorithm or whatever esp since the junk were all some variant of btc/colesworth vouchers/missed parcels anyway.

  • +1

    I'm getting a ton of spam and phishing emails, mainly crypto rubbish and it only started happening after ShopBack was compromised. The below screenshot is old and i still receive them almost daily, also have crap load of rules setup to move them to Junk Email because the subject constantly evolves to evade Microsoft's spam detection

    https://i.imgur.com/DH8icNQ.png

    Just wondering if anyone else is getting the same type of emails since the breach? haveibeenpwned reports that my email has only been leaked on ShopBack and no other sites, still very pissed off about it

    • My Spam emails are mostly that I won a prize, american giftcards, costco giftcard and that my wife was caught watching porn but I dont have a wife yet..

    • I just got sent a spam email to my unique Shopback address letting me know that I had a cash settlement awarded to me in my name, lol.

  • +1

    ShopBack has been fined A$85,500 in Singapore over this breach. Talk about a slap on the wrist.

    • +1

      should be 85,500 fine PER customer

      • Agreed, nearly $120 billion just for their Singaporean customer base 🤣

        But in all seriousness, there would be significant costs to every customer that suffered the ramifications of this breach. Any business that doesn't properly safeguard such critical data should suffer the consequences, as Latitude has.

        • like i said during optus hack, when thing like this happen we all customer must stick together and stop using their services. come on…., there are many phone provider, many cashback, many cc. not that difficult to change…

          some will say what will that achieve? the damage already done mate
          the answer is to show others that customers can bring a company down! imagine if 99% optus customer moved. if you really really love optus, okay, just for a month. imagine what happen. this will be a headline. a company without customer for a month.
          others will see and holly shuuuuutt.. we dont want like them! quick check our system!

          compare with $85k fine… or none for optus…. others see: bad luck optus bro… thats all. do nothing

  • I got hacked to all my bank account. Almost losing 15000. Just realise my information leaked to dark web

Login or Join to leave a comment