ShopBack Data Breach

Store Repgotyourback @ ShopBack AU on 25/09/2020 - 22:13
Last edited 25/04/2021 - 18:37 by 4 other users

13 Nov 2020 (Update)

Several hours ago, we became aware that a party has made available online our customers’ data, which was taken during the unauthorised access to our systems back in September.

We are acutely aware that this may cause you further inconvenience and are deeply sorry for this. As mentioned in our previous communications to customers, your cashback is safe, and your passwords are hashed with a unique and dynamic salt. This data does not contain any credit card details, and ShopBack does not store your 16-digit card number or CVV on any of our systems.

We want to reassure you that we have further enhanced our security measures since September; taking the following steps:

  1. We have verified the removal of unauthorised access and ensured that our systems are now in line with intended configurations.
  2. We have further improved the storage of our unique salted passwords by encrypting using a separately stored 'pepper'.
  3. We have partnered with Crowdstrike, a world-class endpoint security and threat intelligence platform, to monitor for suspicious activity across all our systems.

In the coming days as a precautionary measure, we will be triggering a forced logout and password reset of customers’ ShopBack accounts.

We have also rolled out a self deletion feature on our site to give our customers the ability to delete their accounts quickly and easily themselves without the need to contact ShopBack. See this how to link to self delete your account. We can also continue to assist customers with deleting an account if this is their preference.

Meanwhile, our investigation is still ongoing and we continue to cooperate with the Office of the Australian Information Commissioner.

We thank you for your continued support and we will continue to release further updates. Please reach out to [email protected] if we can help out at all.

26 Sep 2020

Hi guys,

We know the trust you place in us to safeguard your personal information which is why we’re proactively writing this up. A few days ago, we became aware of an incident involving unauthorised access to our systems which contained our customers’ personal data. We are currently confirming which data has been compromised.

As soon as we became aware of the issue, the unauthorised access was removed. We immediately initiated an investigation and engaged leading cyber security specialists to assess the extent of the incident and to further enhance our security measures. We are also collaborating with relevant authorities.

To date, we have no reason to believe that any of your personal data has been misused, however the possibility still exists. What we can assure you of is that your cashback is safe, we do not collect credit card details, and your ShopBack account password is protected by encryption.

You may continue to access your ShopBack account and use our services as business operations have not been affected by the incident.

We understand that this incident might raise some questions for you, and in this regard, we have established a dedicated email address, [email protected], if you would like to contact us. Please also refer to the customer FAQ on our website which has further details.

While your password is encrypted, you may wish to change your ShopBack account password, and we suggest that you do not use the same password on other digital platforms.

We recognise that this is unsettling news and we are deeply sorry for any inconvenience this might cause you. The security and privacy of our customers is of utmost importance to us, and we commit to taking all the steps we can to minimize the risk of a similar incident occurring again in the future.

Thank you
Team ShopBack

FAQs In This Post

How do I close my account?
See this 'How To' link.

How long will it take to close/delete/deactivate? Can I recover my account?
It will take us up to 48 hours to close/deactivate/delete your account after receiving your request. We will not be able to reinstate/restore or retrieve any information (this includes cashbacks associated with the account).

Can I still get my cashback after closing my account? What about pending cashbacks?
In order to ensure that you receive your cashback, you will need to request for a cashout and confirm that you have received it before submitting a request to close/delete/deactivate your account. Cashbacks that have not been confirmed will not be able to be processed. You will not be able to cashout pending cashbacks after they become confirmed as we will not be able to track and link them to you once we have deleted all your information.

I'm not receiving the password reset emails
Our systems are processing the requests and the emails will get to users soon (update: email services have been restored and functioning normally). Alternatively, you can also reset your password by clicking on "Update Password" under https://app.shopback.com/account.

General Discussion

Related Stores

ShopBack AU
ShopBack AU
Third-Party

Comments

  • Frayin on 26/09/2020 - 09:39
    +2

    First time ever receiving robo calls this week. Now i fuc**** know why…

    Can't stand companies retaining personal data, but can't fathom that they allow it to become compromised. SMFH.

    • steven6 on 26/09/2020 - 09:49

      Were the calls in Mandarin?

      • Frayin on 26/09/2020 - 09:49

        2 were, 2 others were in English about unpaid tax.

        • Drewbo on 26/09/2020 - 10:21
          +7

          I was amazed to learn that you can pay your tax bill in iTunes Gift Cards - so convenient!

          • bloom on 26/09/2020 - 11:55

            @Drewbo: About time given my boss I’ve never met pays me with iTunes gift cards!

        • Make it so on 26/09/2020 - 11:31

          Same here. Not happy.

    • paulieau on 26/09/2020 - 10:09

      Same, for the past week been receiving 1-2 robo calls most days about NBN. Researching the numbers they seem to be spoofing genuine phone numbers.

      At least now I know where they got my number.

    • Godric on 26/09/2020 - 10:20
      +1

      Actually me too, I answer, then I get a robot in Mandarin telling me to press 1 to be referred to an agent, then it disconnects LOL.

      I press 1 so I can have a bit of fun and waste their time bit their owning hacky systems don't even work

      • spiritlevel on 26/09/2020 - 12:01

        Been getting those since July.

    • Make it so on 26/09/2020 - 11:31

      Same, got 2 scam calls yesterday

  • imrichkid on 26/09/2020 - 09:54

    Sick of companies that don't safe guard customer data seriously, will stop using Shopback!

  • squaredonut on 26/09/2020 - 09:59

    This explains all these password resets for my emails I’ve been getting.

    I was also a bit stupid to have opted a secondary email address but with a different provider.

    Eg email was joeblow@gmail and recovery was joeblow@hotmail. But I also changed it to the recovery is now an email that never gets used and not guessable at all.

    Enabled 2FA and authenticators on all my emails too.

    My concern now is bank account details and also mobile. I really need some burner number. Maybe a twilio account is worth it now.

    • GerrardLFC on 26/09/2020 - 12:21

      I have the $1 TPG mobile account. Never use it for phone calls just for receiving text messages

      • Last Seen on 26/09/2020 - 21:52

        I wasn't aware of that plan, nice work!

        Second sim slot? Would be quite convenient

        • CyberMurning on 28/09/2020 - 09:06

          problem is if you use 2 sims you cant put micro sd card on the phone

          • Last Seen on 28/09/2020 - 09:49

            @CyberMurning: That's a fair point. You almost need a cheap, (and small) second mobile to treat as an authenticator token.

            Something with decent battery life, though.

    • Zachary on 27/09/2020 - 23:39

      when were the password resets and did you get back your accounts or nah? That should at least point us how long ago this may have actually occured….

  • jimbobaus on 26/09/2020 - 10:03
    +2

    I have been saying for a very long time that i will never use SB as they are based offshore and do not have our priavcy rights or laws to adhere too
    every time i commented i was shot down.
    Looking at the 230+ comments so far it looks like people are now seeing what i have seen all along.

    I never had an account with SB so this does not affect me and i never had an account because i would never trust a company based in Singapore (and Malaysia) to protect my data when the local laws do not require them to do so

    • Stewardo on 26/09/2020 - 10:10
      +1

      SB address in Martin Place Sydney is for a virtual office, so no real office.

      • [Deactivated] on 27/09/2020 - 09:27

        It's not a Virtual Office, it's a WeWork facility. WeWork don't even have virtual office offerings unlike Regus or Servcorp.

        It may be a shared/coworking office, but it's still a real office.

        • Zachary on 27/09/2020 - 23:40
          -1

          Walk into the office and take picture of yourself there and post it here. Then we'll see if it's virtual or not.

          • [Deactivated] on 28/09/2020 - 07:28

            @Zachary: It's in Sydney. I can't go to Sydney, and certainly don't feel like paying for a $3000 quarantine on the way back. But even if I could and did, it's a WeWork co-working/office space so if I'm a tenant or having a meeting with a tenant, I can go there. Just like my own company uses a Regus office, and I can walk in there any time I want as an anyone who has business with me - still not a virtual office, unless you're claiming that any rented/leased office is "not a real office".

            At least since it's a WeWork address and not a Regus or Servcorp address, you know they actually have some staff there without knowing what type of contract they have.

            • Zachary on 02/10/2020 - 18:15
              -1

              @[Deactivated]: Yes, just put in a random office address that no one can get inside to verify that this office location actually exists or not….

              • [Deactivated] on 03/10/2020 - 08:53

                @Zachary: You actually can get inside fairly easily. Walk up to the reception and say you need to meet with someone from (insert tenant here). The receptionist will either tell you that company isn't a tenant, or call someone on the phone to come fetch you. Again, being shared office space does not make it not a real office - just means they don't want to spend a fortune leasing an entire floor of a building for eight people. There are multinationals occupying the same Regus office building as me, does the fact that they don't have their name plastered over the front door mean that those multinationals don't exist? According to you it does.

                • Zachary on 17/10/2020 - 18:44
                  -2

                  @[Deactivated]: Well if they said they have an office and there is nowhere that advertises their location when you actually go to their office location to check out ….

                  • [Deactivated] on 17/10/2020 - 20:19
                    +1

                    @Zachary: As ypu've been told, numerous times, they do have an office. It's in.a WeWork serviced office/co-working facility. The fact that their name isn't the only one on the sign (or even on the sign at all) doesn't change that. You're just making yourself look foolish at this point.

    • Ughhh on 26/09/2020 - 10:12
      +3

      Many on-shore business supposedly adhering to Aust laws have had data breach too?
      https://www.webberinsurance.com.au/data-breaches-list#twenty

      • jimbobaus on 26/09/2020 - 10:18
        +2

        I am certainly not saying that local company's are not immune.
        As someone who worked in Singapore for many years i can tell you Singapore data retention laws are very lax compared to here.
        While breaches happen, Singapore laws make them a lot easier becuase companies do not have to have the same level of protections that you need in Australia for example

    • Clear on 26/09/2020 - 15:09
      +1

      I was trying to work out who it was that had said it in previous deals but I knew you were bound to comment. Good stuff!

    • theg00s3 on 27/09/2020 - 22:18

      They're legally required to report to the OAIC (which they have) as SB Australia is technically HQed in Australia

  • TheOtherLeft on 26/09/2020 - 10:11
    +3

    Just sent a quick email to care@… to close my account.

    • bazingaa on 26/09/2020 - 10:59

      Did it work?

      • Zachary on 27/09/2020 - 23:41

        probably not since he hasnt replied back…

  • squaredonut on 26/09/2020 - 10:11

    On another note what do people here use in terms of for 2FA etc for sms? I want to disconnect away using my primary number for that.

    Do people simply buy a $30 phone and prepaid sim? What’s a good prepaid sim that has very long lasting credit?

    • S2 on 26/09/2020 - 10:46

      aldimobile have $15 pay as you go prepay with 365 day expiry.

    • TheMatrix on 26/09/2020 - 11:17

      A lot of services offer the option to use Authenticator app (eg Google Authenticator) for 2FA, rather than SMS. Facebook, Lastpass, Paypal, Dropbox etc use google authenticator.

    • tdw on 26/09/2020 - 15:01

      i use an old iphone 3gs and $10 amaysim PAYG that lasts 1 year. have had a few referrals to that number so amassed $30 credit. that'll keep the validation texts chugging along for a few years ;)

  • follow on 26/09/2020 - 10:13
    +5

    timing of the email reminds me of when Canva hid their notice in a marketing email.

  • squaredonut on 26/09/2020 - 10:22
    +7

    For people who are emailing them and “deleting” their accounts. All of their replies in their thread seem to more pointing to deactivating. If by any standard it’s likely to be setting the IsActive field on your record to false. Which is probably useless anyways.

    • Dealhunter967671 on 26/09/2020 - 10:23
      +4

      Interesting perspective. Perhaps the rep could clarify that point?

      @gotyourback - is there a way to DELETE rather than DEACTIVATE the accounts?

      • machej on 26/09/2020 - 14:07

        Probably best to replace your details with a junk email and mobile.

      • Store Repgotyourback @ ShopBack AU on 26/09/2020 - 14:24

        Yes, we can either "deactivate" or "delete" your account. Deactivation will stop any communications going to your account, whereas deletion requests will remove you from our systems permanently. Please reach out to [email protected] and our team will gladly help out.

        Please note that deletion requests will be processed by our system and is not immediate - should take around 48 hours.

        • db87 on 26/09/2020 - 14:35
          +2

          Are these being processed as we speak or will they need to wait until business opens Monday morning?

    • subywagon on 26/09/2020 - 10:37

      exactly what I thought. They are going to keep your records forever ever

      • [Deactivated] on 26/09/2020 - 14:00

        Claim you’re a EU Resident. Right to delete is a thing.

  • domo653q on 26/09/2020 - 10:22

    Withdrawal of money is taking ages……..

    • Store Repgotyourback @ ShopBack AU on 26/09/2020 - 11:05
      -1

      This incident does not affect customers using ShopBack in any way and you can continue to use ShopBack as per normal, including withdrawing. ShopBack transfers your Cashback straight to your bank or PayPal account; this typically takes 3-5 working days. On occasion, there could be delays due to inter-bank transfers or if your bank account details are incorrect / incomplete.

      You may refer to our Customer Support page here: https://support.shopback.com.au/hc/en-us/articles/3600396578…

      • db87 on 26/09/2020 - 11:49
        +1

        Good to see you can hit a generic reply to anything regarding your general services, yet genuine concern is met with silence.

        Pull your head in SB and give people the time and respect they deserve for investing in your model.

      • pe arl on 26/09/2020 - 12:02

        Rep, it'd be great if you could also address the legitimate question just above the one you just answered. With so many people feeling concerned after the serious breach, now's probably not the time to cherry-pick questions.

        • steven6 on 26/09/2020 - 12:11
          -6

          Could Daniel Andrews be the Shopback rep?

  • Gcquest on 26/09/2020 - 10:37

    Hi all,

    Just wondering if anyone has experience the same?
    For about the last 1 week for slightly longer I've been receiving spam SMSs at about a rate of 2 or 3 a day.
    Stuff like congrats you are the third winner or something around those lines.
    Wonder if this is related?

    Would appreciate your thoughts on this one.
    Cheers.

  • hexapling on 26/09/2020 - 10:43

    Seriously annoyed at this. 2 questions:

    1. Can I still withdraw money to my PayPal account safely?
    2. Should those of us who didn't add any bank account details be worried?
    • Store Repgotyourback @ ShopBack AU on 26/09/2020 - 11:07

      This incident does not affect customers using ShopBack in any way and you can continue to use ShopBack as per normal, including withdrawing. In cashing out to your PayPal account, we never collect nor store your PayPal passwords.

      • hexapling on 26/09/2020 - 11:19

        So is my current balance still safe and assured? I've changed my PP pwd and 2FA to be sure.

        • Store Repgotyourback @ ShopBack AU on 26/09/2020 - 11:22

          This incident has not affected your cashback balance in your ShopBack account. You may continue to access your ShopBack account and use our services as business operations have not been affected by the incident.

          • db87 on 26/09/2020 - 11:50

            @gotyourback: Answer the bloody question!!!!!

            • djones145 on 26/09/2020 - 14:07
              +10

              @db87: This incident has not affected your cashback balance in your ShopBack account. You may continue to access your ShopBack account and use our services as business operations have not been affected by the incident.

              • db87 on 26/09/2020 - 14:12

                @djones145: Parrot much? Or politician maybe? Or just forgot to hit the associated button?

                "Should those of us who didn't add any bank account details be worried?"

                "So is my current balance still safe and assured?"

                ….and multiple other questions throughout the thread that have been side stepped with the same generic response over and over again.

                • tdw on 26/09/2020 - 14:24
                  +5

                  @db87: djones was mocking the rep, not you.

                  • db87 on 26/09/2020 - 14:37
                    +1

                    @tdw: If so, I apologise. I have a serial negger and didn't read it that way.

                    Side note, quite comical how SB are dealing (or not) with this.

                    • tdw on 26/09/2020 - 15:15
                      -1

                      @db87: understandable. i know we're all rather upset with the situation. the copy pasta responses by the shopback rep certainly aren't helping.

            • djones145 on 28/09/2020 - 15:22

              @db87: just mocking the rep hehe

              his incident has not affected your ozbargain rep in your ozbargain account. You may continue to access your ozbargain account and use our services as business operations have not been affected by the incident.

  • b_sean on 26/09/2020 - 10:47

    Apart from closing account and reopening a new one - is there a way to stop from someone setting up Direct Debit. Will chase up with bank too but someone here knows then it will be helpful.

    TIA

    • evanjd on 26/09/2020 - 12:18

      It depends on the bank and what product you have with them. Someone else in this thread mentioned they were able to turn off direct debit on their account. I wasn't able to with ING.

      • UrMumsOnlyFan on 26/09/2020 - 12:47

        Neoika mentioned some examples of accounts that do not support direct debit, including the ING Savings Maximiser (page 22):-

        You cannot nominate your Savings Maximiser to be used for direct debit requests or periodic direct debit deposits for accounts at any other financial institution or organisation.

      • SBOB on 26/09/2020 - 14:20

        Mines linked to a ubank saver which doesn't allow direct debits

    • CalmLemons on 26/09/2020 - 18:22
      +2

      NO.

      If you haven't noticed, many businesses put their BSB and account details on the internet as you can't setup direct debit without a direct debit agreement AND you must be verified through the bank.

      In the extremely rare occurrence this happens, the funds would easily be retrieved.

      I think a lot of the people on here get spam calls, because a lot of people get spam calls anyway.

      This is why people should be using a different password for each site they visit.

  • GoldenPan on 26/09/2020 - 10:50
    +2

    Anyone here want to force Shopback into Arbitration?

    I've already closed by account from a long time ago. They have breached their privacy policies by retaining information on customers longer after the account has been closed. I've just sent a complaint to the OAIC.

    • db87 on 26/09/2020 - 11:52
      -1

      I'm not really concerned about the data TBH, other than it potentially affecting people's credit ratings somehwere down the line.

      I more appalled with their lack of transparency and constant generic replies on a subject that is anything but serious.

      Do tell, I'll happily shoot an email/complaint off where needed.

    • theg00s3 on 27/09/2020 - 22:20
      -2

      They've reported it themselves to the OAIC, so your complaint probably won't do much

  • No Username on 26/09/2020 - 10:56
    +2

    Not a ShopBack fan or anything. I've always used Cash Rewards but do have a Shop Back account.

    So far I've noticed no compromises to any of my accounts.
    No Spam from emails.
    No phishing attacks or phone calls.

    But I do have a Samsung with spam filtering on so it may be automatically dropping these calls.

    • bazingaa on 26/09/2020 - 11:03

      I found a scam sms in Spam folder from Aug 21st with my first name, I never had such spam sms before. Could it be related with this?

      • No Username on 26/09/2020 - 11:10
        +6

        Honestly It could be from anything. We sign up for many services and input our data into cheap gadgets and smart home devices. Most of the time these services wont tell their users that their data has been compromised. Also most of the time hackers want to be discreet as possible as to not alert the admin of the hack.

        Take Broadlink smart home devices for example. These devices have weak security and allows web crawlers to parse user data into a collective database.

        • Zachary on 27/09/2020 - 23:47

          Also most of the time hackers want to be discreet as possible as to not alert the admin of the hack.

          Well I guess they did a bad job here because shopback noticed the hack….

      • [Deactivated] on 27/09/2020 - 09:30
        +1

        That's more likely to be someone taking a photo of the COVID register at a cafe you went to. Ive been getting a lot of spam SMS messages spruiking crypto ever since having to fill in those stupid things.

        • bazingaa on 27/09/2020 - 12:09

          Never been to a cafe and filled a such form, we are still in the stage 4 lock down.

  • sparkanum on 26/09/2020 - 10:57

    I have an account but didn't receive the email. Was it only emailed to affected accounts? Or were SB sloppy on the email?

    • Store Repgotyourback @ ShopBack AU on 26/09/2020 - 11:15
      -3

      We communicated to all customers via an email titled [IMPORTANT] ShopBack Customer Notice at around 10pm AEST last night. Please reach out to us at [email protected] to verify.

      • watwatwat on 26/09/2020 - 21:33

        That email said you have no reason to believe that data was misused. This thread implies there is a lot of misuse of data happening right now and your customers are at risk. Why have you not sent a follow up email yet??????

    • kati on 27/09/2020 - 22:54

      I didn't receive the email either. I searched my email history, but nothing.
      Edit: my bad. Found the email. My mail is autoforwarded, needed to check the spam folder in the original email.

    • No Username on 26/09/2020 - 11:15
      +1

      What? Why would the Government need to hack the company. You already voluntarily give the government your personal data.

      • dsar on 26/09/2020 - 14:41
        +1

        THE GOVERNMENT GOT NOTHING ON ME. Except for my passport, driver's licence, TFN, medicare. BUT OTHER THAN THAT THE GOVERNMENT GOT NOTHING ON ME.

  • pe arl on 26/09/2020 - 11:56
    +12

    Just to be clear, closing our accounts now won't reverse any damage, right? Everyone's closing theirs because they can no longer trust their info with SB.
    @gotyourback can you please answer the questions above about whether closing an account actually deletes all account info or simply deactivates it. Your FAQs seem to suggest it is the latter, in which case it's pointless really.

    • nadan on 26/09/2020 - 12:14
      +3

      I highly doubt they will delete it from their DB, it will make them big dollars and they will in no way get rid of your details. Remember the case of the two guys running a business in the private health insurance sector that pocketed $2.4 Million dollars from selling their customer details.

  • soggypotato on 26/09/2020 - 12:05

    I am going to miss my phone number, but I have to change it due to incoming spam and privacy issues and I still have 9 months left on my boost account… I wonder if boost would do a data rollover.

    • Make it so on 26/09/2020 - 12:14
      +2

      Some stranger once submitted my number to some marketing scam. After a while the calls should abate. Just block and report as they come in.

      • Soluble on 26/09/2020 - 13:43
        -1

        I'm a few years into spam calls, when do they stop?

    • machej on 26/09/2020 - 13:49

      Have you tried signing up to donotcall.gov.au? It won't stop scammers but it may reduce spammy calls. Truecaller may help too.

      • soggypotato on 26/09/2020 - 14:53

        yea I registered for the do not call list a long time ago but still received little scam calls. However, to be safe I changed my phone number.

  • Make it so on 26/09/2020 - 12:09

    To date, we have no reason to believe that any of your personal data has been misused

    I guess their own phone number wasn't in their database.

  • nadan on 26/09/2020 - 12:12
    +1

    You may not get spammed immediately, it is only when your details are sold to other parties then you will get spammed, which can take months.
    I keep getting calls from stock brokers and financial advisors all the way from Russia, eastern Europe and God knows where on regular bases, because the muppets at Pepperstone had their demo servers hacked and my details stolen.

    • Zachary on 27/09/2020 - 23:50

      Who uses real data for a demo server?

      • hullohullo on 28/09/2020 - 11:56

        the muppets at Pepperstone

        • Zachary on 02/10/2020 - 18:31

          nice…

  • evanjd on 26/09/2020 - 12:13
    +2

    Called ING to check what damage a fraudster could do with the details that were potentially leaked, and they strongly advised closing my account and setting up a new one, as the details leaked could allow others to set up direct debits in my name. What a hassle!

    The bank's advice also directly contradicts Shopback's FAQ:

    While bank account numbers do not permit third parties direct access to your bank accounts…

    Boo hiss.

Login or Join to leave a comment
Login Join