ShopBack Data Breach

Store Repgotyourback @ ShopBack AU on 25/09/2020 - 22:13
Last edited 25/04/2021 - 18:37 by 4 other users

13 Nov 2020 (Update)

Several hours ago, we became aware that a party has made available online our customers’ data, which was taken during the unauthorised access to our systems back in September.

We are acutely aware that this may cause you further inconvenience and are deeply sorry for this. As mentioned in our previous communications to customers, your cashback is safe, and your passwords are hashed with a unique and dynamic salt. This data does not contain any credit card details, and ShopBack does not store your 16-digit card number or CVV on any of our systems.

We want to reassure you that we have further enhanced our security measures since September; taking the following steps:

  1. We have verified the removal of unauthorised access and ensured that our systems are now in line with intended configurations.
  2. We have further improved the storage of our unique salted passwords by encrypting using a separately stored 'pepper'.
  3. We have partnered with Crowdstrike, a world-class endpoint security and threat intelligence platform, to monitor for suspicious activity across all our systems.

In the coming days as a precautionary measure, we will be triggering a forced logout and password reset of customers’ ShopBack accounts.

We have also rolled out a self deletion feature on our site to give our customers the ability to delete their accounts quickly and easily themselves without the need to contact ShopBack. See this how to link to self delete your account. We can also continue to assist customers with deleting an account if this is their preference.

Meanwhile, our investigation is still ongoing and we continue to cooperate with the Office of the Australian Information Commissioner.

We thank you for your continued support and we will continue to release further updates. Please reach out to [email protected] if we can help out at all.

26 Sep 2020

Hi guys,

We know the trust you place in us to safeguard your personal information which is why we’re proactively writing this up. A few days ago, we became aware of an incident involving unauthorised access to our systems which contained our customers’ personal data. We are currently confirming which data has been compromised.

As soon as we became aware of the issue, the unauthorised access was removed. We immediately initiated an investigation and engaged leading cyber security specialists to assess the extent of the incident and to further enhance our security measures. We are also collaborating with relevant authorities.

To date, we have no reason to believe that any of your personal data has been misused, however the possibility still exists. What we can assure you of is that your cashback is safe, we do not collect credit card details, and your ShopBack account password is protected by encryption.

You may continue to access your ShopBack account and use our services as business operations have not been affected by the incident.

We understand that this incident might raise some questions for you, and in this regard, we have established a dedicated email address, [email protected], if you would like to contact us. Please also refer to the customer FAQ on our website which has further details.

While your password is encrypted, you may wish to change your ShopBack account password, and we suggest that you do not use the same password on other digital platforms.

We recognise that this is unsettling news and we are deeply sorry for any inconvenience this might cause you. The security and privacy of our customers is of utmost importance to us, and we commit to taking all the steps we can to minimize the risk of a similar incident occurring again in the future.

Thank you
Team ShopBack

FAQs In This Post

How do I close my account?
See this 'How To' link.

How long will it take to close/delete/deactivate? Can I recover my account?
It will take us up to 48 hours to close/deactivate/delete your account after receiving your request. We will not be able to reinstate/restore or retrieve any information (this includes cashbacks associated with the account).

Can I still get my cashback after closing my account? What about pending cashbacks?
In order to ensure that you receive your cashback, you will need to request for a cashout and confirm that you have received it before submitting a request to close/delete/deactivate your account. Cashbacks that have not been confirmed will not be able to be processed. You will not be able to cashout pending cashbacks after they become confirmed as we will not be able to track and link them to you once we have deleted all your information.

I'm not receiving the password reset emails
Our systems are processing the requests and the emails will get to users soon (update: email services have been restored and functioning normally). Alternatively, you can also reset your password by clicking on "Update Password" under https://app.shopback.com/account.

General Discussion

Related Stores

ShopBack AU
ShopBack AU
Third-Party

Comments

  • Circly on 26/09/2020 - 01:12

    Damn. Just changed a few passwords. Concerning if they have bank accounts.

    • nosrad on 26/09/2020 - 06:59

      They almost certainly do.

  • cycleri3 on 26/09/2020 - 01:25

    Was bank account data leaked in this breach?

    • tdw on 26/09/2020 - 01:54

      any info you entered in your account is at risk.

  • tdw on 26/09/2020 - 01:34

    i suppose they're going to blame all those "disqualified" cashbacks on this hack as well?

    can't even delete my bloody bank details.

    shopback rep should change their username to gothacked

    • db87 on 26/09/2020 - 09:21
      +1

      Go to your withdrawal tab and there's a little bin next to your account details for me. Then swipe /select the other tabs for PayPal, etc and do the same.

      • tdw on 26/09/2020 - 14:37
        +1

        thanks! not sure why i didn't notice that before. blinded by rage, probs ;)

    • Store Repgotyourback @ ShopBack AU on 26/09/2020 - 10:20
      -1

      ShopBack’s business operations have not been affected and this incident has not affected cashback tracking or your cashback balances in your ShopBack account. Our team are here to help you make any changes you need. Contact us at [email protected]

      • tdw on 26/09/2020 - 14:31

        you're not even sure what user details have been compromised so how the hell can you be so confident your "business operations" aren't going to be affected?

        i cashed out a long time ago and have been using CashRewards ever since.

        don't let the door hit you on the way out.

  • [Deactivated] on 26/09/2020 - 01:42
    +4

    Comments stating "these things happen but they're handling it poorly" is pure cope. These types of breaches are completely avoidable. I'll be cancelling my account immediately

    • Quantumcat on 26/09/2020 - 07:06
      +2

      They're not really avoidable, even massive companies get hacked. You only need one system among hundreds to be unpatched for a short time or one emmployee to fall for a fishing email.

  • [Deactivated] on 26/09/2020 - 01:46
    +6

    From your website

    I am no longer interested. How do I deactivate my ShopBack account?
    If you would still like to proceed, do email [email protected] and let us know that you would like to deactivate your account. We will deactivate your account within 48 hours and let you know.

    and on OZB

    … we have established a dedicated email address, [email protected], if you would like to contact us. Please also refer to the customer FAQ(support.shopback.com.au) on our website which has further details.

    those 2 statements contracdict themselves.

    I call this BS, you didn't establish anything dedicated, just your default email address. A new email address takes less than 1 minute to setup and you didn't do it. You could have setup a new free email account something like … concerns@ ….. or databreach@…. just to hint you care.

    politicians, talking the talk just to look good.

    • bazingaa on 26/09/2020 - 02:05

      or OzBVIP@ for us :D

  • yummycoot on 26/09/2020 - 02:07
    +1

    Oh wow just after I received the shopback of 40 in my account, oh well time to use cashback now

    • Zachary on 27/09/2020 - 23:28

      please enter your phone number so we can verify your identity.

  • NimitzHarrington on 26/09/2020 - 02:47

    One thing I'd like to know is has it been confirmed that the method of entry has been identified and closed. And that whoever breached their systems are definitely no longer inside their network. Otherwise anyone rushing to change their passwords could easily end up with those new passwords getting stolen as well.

  • Fairmont on 26/09/2020 - 04:15

    This is shit. Used the same password for a few other sites which I have since changed. Luckily for me I didn't have my full name, gender or DOB listed. However my mobile and bank details were. Not happy.

    • subywagon on 26/09/2020 - 10:33
      +2

      Same. Spent all morning updating any important passwords that I've used the compromised email address for. I'd been meaning to update passwords, at least this forced me to do it.

  • [Deactivated] on 26/09/2020 - 06:38
    +2

    Fake name with PayPal secondary/multiple email and my secondary sim.

    Used password manager.

    I have no idea why people put real info on these sites.

    • nosrad on 26/09/2020 - 07:02

      So it’s our fault?

      • whooah1979 on 26/09/2020 - 07:06
        +1

        Nothing is private when it goes online. That is especially true for centralised data storage.

      • [Deactivated] on 26/09/2020 - 12:32
        +1

        Yes, if you're providing your legit information to a website which doesnt really need it to work.

        You should know pretty much anything you put online which isnt your control by you can be share without your knowledge.

        This why I try to self hosted as much as I can and not rely on cloud services.

        I dont remember ever giving my real DOB apart from government crap which requires it.

        • Zachary on 27/09/2020 - 23:29

          I dont remember ever giving my real DOB apart from government crap which requires it.

          What are you gonna do when the government gets hacked?

          • [Deactivated] on 28/09/2020 - 17:27

            @Zachary: What are you going to do?

            • Zachary on 02/10/2020 - 18:13

              @[Deactivated]: I asked you first…

              • [Deactivated] on 02/10/2020 - 19:49

                @Zachary: My life is already setup that anything that do or already leaked wont have that much impact on my finances or privacy.

                • Zachary on 17/10/2020 - 18:43

                  @[Deactivated]: You're thinking ahead……I'd probably be screwed then….perhaps you'd like to elaborate on what steps you've done to achieve this feat?

    • verio on 26/09/2020 - 07:58

      Ha, wait until some company gives just $5 for very sensitive information (name, DOB, address, driver licence) and… people will sign up!

      https://www.ozbargain.com.au/node/478203

      That being said, Shopback is at fault for handling this incident. I will not stop using them but will probably delete my current account and create a new one using "Sign in with Apple" to avoid providing my real email.

  • Ben Kenobi on 26/09/2020 - 06:43
    +2

    This happened at least back in August as I haven't used shopback since April but there is a pending referral from late August in my account (possibly a hacker testing the account?)…I have never referred anyone to shopback (as it is a crap service now…that's why I stopped using it)

    • [Deactivated] on 26/09/2020 - 07:47

      Is SB in your OZB referrals?

      • Ben Kenobi on 26/09/2020 - 10:01

        no

        • [Deactivated] on 26/09/2020 - 22:51

          Did you refer uncle Obi Wan and forget that you did?

    • Store Repgotyourback @ ShopBack AU on 26/09/2020 - 10:22

      In late August we updated our Refer A Friend program, which updated you with a notification for any pending referrals. The Cashback you’ve received is the refer-a-friend bonus that’s tagged to either your past referral or to you as a referree. However if you'd like to get in touch with us at [email protected] we can take a better look at it for you

      • Ben Kenobi on 26/09/2020 - 14:00
        +1

        It wasn't me…therefore it was someone else…I have not referred anyone with details anything like the partially obfuscated referral that was on my account….maybe you guys got hacked multiple places in your infrastructure?

        Anyhow, not my problem…I stopped using you and cash rewards months ago once you both started rejecting higher $ amounts…I suspect that internal staff were diverting these larger refunds into their own accounts.

        • Ben Kenobi on 26/09/2020 - 18:05

          And now I'm getting phishing emails from someone (shopback?) saying the mobile I had listed isn't connected with the account…DELETE all my account data and destroy the account 'gotyourback'!!! I don't want anyone to have the opportunity to impersonate me…I've closed the account so you have no reason to maintain my data on your system.

  • gimme on 26/09/2020 - 06:48
    +1

    Luckily I use throwaway email phone details and not my real name on these types of sites.

  • whooah1979 on 26/09/2020 - 07:02
    +3

    Don't worry, SB. Just keep the cashback flowing and I'll stick with you.

    • gimme on 26/09/2020 - 07:06
      +8

      You'd find that after a little kboard warriory most of the tightarses here will return with a new account to take advantage of post breach deals.

      • whooah1979 on 26/09/2020 - 07:11
        +4

        You're absolutely right. A 2% discount is all it takes for people to hand over some or all of their data.

        Websites like Facebook and Twitter don't even have to pay anything to get this data.

        • Indomietable on 26/09/2020 - 21:33
          +1

          Even worse, FB has been caught selling user data to Cambridge Analytica and no one here bats an eye.

  • dylo on 26/09/2020 - 07:07
    +9

    Stopped using early this year when they kept declining bonus cashbacks advertised here despite following the correct cashback procedure and never having any issues previously.

  • pitiek on 26/09/2020 - 07:29
    +1

    So I have not cashed out any of my cashback since I joined… Should I enter my paypal deets (different email address) or just my bank account now to withdraw then delete the account.

    • bloom on 26/09/2020 - 07:36
      +2

      Enter my compromised Bank account ;)

    • Store Repgotyourback @ ShopBack AU on 26/09/2020 - 10:26

      We recognise that this is unsettling news and we are deeply sorry for any inconvenience this might cause you. What we can assure you of is that your cashback is safe, and that your ShopBack account password is protected by encryption. ShopBack remains in full operation and this incident has not affected your cashback balances in your ShopBack account. We are committed to continue providing you, our users, with the same level of service as we have had over the years.

      You can use either method to withdraw your cashback.

  • ihbh on 26/09/2020 - 07:33

    Damn SB, now we won't get anymore specials from CR before listing. :)

    Please rectify and come back soon.

    You'll probably have to raise a lot of extra VC capital to win people back with bonuses. ;)

  • bling on 26/09/2020 - 07:33
    +1

    Just logged in to see that I had 2 referrals confirmed back on 28th August. Is this around the timing of the breach?

    As I used my shopping/spam email I get alot of junk in that inbox so can't say if I've been compromised in other ways yet. In any case, removing my linked bank account details (also a shopping one) as extra precaution.

    • nosrad on 26/09/2020 - 07:50

      Nothing is really removed. I suspect all previous passwords, information you entered in the past are still stored in their database even after you ‘removed’ them.

    • kyle on 26/09/2020 - 07:56
      +1

      I got one too on same date, but pending.

    • Melb69 on 26/09/2020 - 08:18

      Try and check back on purchases on those dates. I had Ebay ones which I could confirm. Lucky for me I hadn't put in bank details. Can still be phished and spammed

    • Store Repgotyourback @ ShopBack AU on 26/09/2020 - 10:28

      In late August we updated our Refer A Friend program, which updated you with a notification for any pending referrals. The Cashback you’ve received is the refer-a-friend bonus that’s tagged to either your past referral or to you as a referee. However if you'd like to get in touch with us at [email protected] we can take a better look at it for you

  • c64 on 26/09/2020 - 07:46

    was all the other personal data encrypted? name, dob, address?

    • RSmith on 26/09/2020 - 08:17

      This kind of information is usually not encrypted.

  • [Deactivated] on 26/09/2020 - 07:48
    +6

    Dear hackers: can you edit all my pending purchases as confirmed so I can close my account? Oh and don’t forget the pending referrals. Thanks in advance!

  • theworldsstingiest on 26/09/2020 - 07:49
    +6

    People,

    I’d recommend resetting all passwords for any account that shares the same email for login as ShopBack! Last week I got notifications for a suspicious login for Instagram, and I received a random security code to my email address from Microsoft. At the time, I thought it was just odd, but it all makes sense now.

    Luckily I only use this email on services that don’t really matter to me.

    I also received $4.23 into my bank account last week too from some random place. So that data has definitely been lost.

    This disaster of a company should not be allowed to trade in Australia anymore!

    • subywagon on 26/09/2020 - 10:35
      +3

      Wish the hackers would randomly send me money :(

  • b_sean on 26/09/2020 - 08:06

    What is the risk here? The most sensitive information is Bank Account details. What can be done with those details, I have seen many vendors displaying BSB and Account number details on their web page etc which is publicly available.

    TIA.

    • RSmith on 26/09/2020 - 08:19

      Name DOB phone etc are also sensitive. People can create fake accounts under your name and avail of products or services.

    • nosrad on 26/09/2020 - 08:21
      +5

      I called my bank, and was told that anyone with my personal information and BSB account number can setup some sort of direct debit. They suggested me to close my account and setup a new one with a new account number.

      • PopCounty on 26/09/2020 - 10:22

        That’s some really good info. Shd be pinned so that ppl understand this could really be issue.

        • nosrad on 26/09/2020 - 10:40

          The operator also suggested to put a flag on my bank profile so I can’t use phone banking any more other than for general advice (potentially for the rest of my life unless I opt to remove the flag myself, then I’ll have to bear the risk of misusage of my personal information.)

    • tdw on 26/09/2020 - 08:23

      there is a risk that if someone has your bank details, they can set up a direct debit on that account.

      ask Jeremy Clarkson how well that went for him: http://news.bbc.co.uk/2/hi/entertainment/7174760.stm

  • reactor-au on 26/09/2020 - 08:20
    +5

    I'm quite relieved I used my PayPal instead of bank account. Just added 2FA to my PayPal just incase.
    The other info I guess is problematic out on social media anyway.

    • dsar on 26/09/2020 - 10:26
      +1

      Thanks for pointing this out. Will use PayPal next time

    • bazingaa on 26/09/2020 - 10:50
      +1

      Me too, just enabled Paypal 2FA

  • Chillman123 on 26/09/2020 - 08:36
    +4

    It’s a little sad that in this day and age I’m no longer surprised by ANY and I mean Any company having a data breach. It’s a case of not if but when your data will be compromised. Sad fact of this modern age.

    I think more data has been breached than is being let on. My spam folder has exploded since around the 15th September. Direct emails with specific details like my bank name and my old address. Butt load of crypto scam emails too.

    I recived a number of phone calls on Tuesday and Wednesday this week from Anz bank calling to confirm my credit application was received but was on hold due to suspicious activity. Illion and Equifax both sent me sms messaging reporting my credit report had changed but thankfully both companies have “Striked through” two credit checks ruled as suspicious. Apparently it’s a thing they do to show suspicious actively was detected before it’s removed within 90 days.

    I think a more detailed explanation of the data stolen is needed here and quickly. It’s been 8 days now, stomp on that gas pedal.

    • bazingaa on 26/09/2020 - 10:53
      +1

      What data did you enter in SB? Bank details, DOB & address too?

  • Muzeeb on 26/09/2020 - 08:40
    -2

    So glad that when I signed up originally that I used fake details. Take that hacker. My apologies to [email protected]

    • umoddbro on 26/09/2020 - 08:48
      +1

      Its a good idea to have a burner email, but having any random email or temp email isn't good either when you have account issues.

    • [Deactivated] on 26/09/2020 - 09:17
      +2

      My apologies to [email protected]

      Mr Gates thanks you

  • RSmith on 26/09/2020 - 08:49
    +20

    OP should change name from gotyourback to gotyouhacked.

    The email address should also be changed from [email protected] to [email protected]

  • mlburnian on 26/09/2020 - 09:07
    -2

    Given how popular SB is on OzB, this post should be stickied for a week on top of the home page..treats SB right for sending a sneaky friday night email.
    Some sneaky chinese tried to hack into my steam account, luckily I had two step authentication.
    China blessing the world with real and cyber viruses

    • RSmith on 26/09/2020 - 09:11

      China blessing the world with real and cyber viruses

      Mate, now you'll be labelled as a racist by the CCP supporters.

    • Fiximol on 26/09/2020 - 09:18

      Did steam say the access location is from China?

  • HelpMeiCantSee on 26/09/2020 - 09:12

    People seem to be missing the point of ShopBack is to mine your data. Of course it was going to be a target for hackers!

    Change passwords, always use transfer to PayPal, problem solved.

  • bigbadboogieman on 26/09/2020 - 09:15
    +3

    Just another example of a data greedy company. Can't protect $h!t but want a full customer profile.

    Thankfully I never made an account with them.

    • Zachary on 27/09/2020 - 23:36
      -1

      Same could be said about us for being greedy for cashback on top of discounts to get more for less….

      • bigbadboogieman on 28/09/2020 - 08:35
        +2

        No it doesn't. We don't hold confidential information about any of these companies.

        • Zachary on 02/10/2020 - 18:14

          I was talking about greediness from extra money from a cashback source….

  • avoidfullprice on 26/09/2020 - 09:26
    +1

    Data breaches are serious. But just because other companies not reporting them doesn't mean they have no breaches.

    Not sure how effective it is to protect your data by deleting your account. Firstly, the data has already been hacked. Secondly, if your account is permanently removed.. doesn't that mean you'll qualified for new referee bonus? Some safeguard would exist and that will require your info to be stored elsewhere.

    Meanwhile, let me figure out how to change my DOB and my mother's maiden name….

  • Neoika on 26/09/2020 - 09:28
    +6

    It is common nowadays. I wonder how many people live in NSW are aware of data breach at Service NSW not long ago, 186,000 users affected. The data held in Service NSW are far more genuine than any other business.

    https://www.service.nsw.gov.au/cyber-incident

    • Clear on 26/09/2020 - 15:08
      +1

      Prior to the legislation requiring you to disclose breaches, I worked with quite a few hospitals that suffered from serious attacks from overseas actors. It's scary to think what they can get hold of.

  • TheMatrix on 26/09/2020 - 09:29
    +3

    I received this from PayPal on 23/9/2020. And I did not provide or verify any info on my PayPal account recently. I have added a 2nd factor Authentication to my PayPal account now.

    “ Your information has been verified. We were able to verify the information you provided, and your account setup is now complete.
    Thanks for taking the time to verify your information and helping to keep your account secure.”

    And the email seemed to genuinely come from PayPal.

    • The Ferry Man on 26/09/2020 - 09:38

      I got the same email. I’ve never linked ShopBack to PayPal, so unrelated.

      • TheMatrix on 26/09/2020 - 09:42

        Neither do I. But I link my bank account details to SB. Whether some one were trying to use my personal info plus my bank account to setup a new paypal account (???)

    • steven6 on 26/09/2020 - 09:39

      I got the same email on Thursday 24th September even though I didn't provide any additional information recently. Appeared to be a genuine email as it had my full name.

    • Frayin on 26/09/2020 - 09:44
      +1

      I got the same email. I'm 99% sure it's unrelated. After researching it, PayPal responded to someone stating this email was sent to a lot of Australians to ensure something was working correctly.

      This email was over a year ago though, so I'm still concerned.

    • paulieau on 26/09/2020 - 10:06

      I got the same email, even though I never verified anything. But I've never linked PayPal with shopback so I don't see how it could be related. Probably just change PayPal password too to be safe.

    • hexedhavoc on 26/09/2020 - 12:52
      +1

      I got the same thing. I rang them and was informed it was just something they were doing on their end and no need to worry.

  • eggboi on 26/09/2020 - 09:35
    -1

    I just logged in and out of my shopback account, and now when i click “sign in” it immediately logs me in without even asking for my password or email. I can try to log out as many times as i want but it never actually logs out. I’ll be changing my password amd deleting my account. But that probably won’t actually do anything either…

  • eggboi on 26/09/2020 - 09:37

    The way they said the data breach was “a few days ago” without providing a time and date of the brieach…It’d be safe to say it was at least a week if not longer. Screw Shopback. Really poor handling of this, and probably very weak security to begin with, judging by the weird login behaviour i mentioned above.

Login or Join to leave a comment
Login Join