ShopBack Data Breach

Store Repgotyourback @ ShopBack AU on 25/09/2020 - 22:13
Last edited 25/04/2021 - 18:37 by 4 other users

13 Nov 2020 (Update)

Several hours ago, we became aware that a party has made available online our customers’ data, which was taken during the unauthorised access to our systems back in September.

We are acutely aware that this may cause you further inconvenience and are deeply sorry for this. As mentioned in our previous communications to customers, your cashback is safe, and your passwords are hashed with a unique and dynamic salt. This data does not contain any credit card details, and ShopBack does not store your 16-digit card number or CVV on any of our systems.

We want to reassure you that we have further enhanced our security measures since September; taking the following steps:

  1. We have verified the removal of unauthorised access and ensured that our systems are now in line with intended configurations.
  2. We have further improved the storage of our unique salted passwords by encrypting using a separately stored 'pepper'.
  3. We have partnered with Crowdstrike, a world-class endpoint security and threat intelligence platform, to monitor for suspicious activity across all our systems.

In the coming days as a precautionary measure, we will be triggering a forced logout and password reset of customers’ ShopBack accounts.

We have also rolled out a self deletion feature on our site to give our customers the ability to delete their accounts quickly and easily themselves without the need to contact ShopBack. See this how to link to self delete your account. We can also continue to assist customers with deleting an account if this is their preference.

Meanwhile, our investigation is still ongoing and we continue to cooperate with the Office of the Australian Information Commissioner.

We thank you for your continued support and we will continue to release further updates. Please reach out to [email protected] if we can help out at all.

26 Sep 2020

Hi guys,

We know the trust you place in us to safeguard your personal information which is why we’re proactively writing this up. A few days ago, we became aware of an incident involving unauthorised access to our systems which contained our customers’ personal data. We are currently confirming which data has been compromised.

As soon as we became aware of the issue, the unauthorised access was removed. We immediately initiated an investigation and engaged leading cyber security specialists to assess the extent of the incident and to further enhance our security measures. We are also collaborating with relevant authorities.

To date, we have no reason to believe that any of your personal data has been misused, however the possibility still exists. What we can assure you of is that your cashback is safe, we do not collect credit card details, and your ShopBack account password is protected by encryption.

You may continue to access your ShopBack account and use our services as business operations have not been affected by the incident.

We understand that this incident might raise some questions for you, and in this regard, we have established a dedicated email address, [email protected], if you would like to contact us. Please also refer to the customer FAQ on our website which has further details.

While your password is encrypted, you may wish to change your ShopBack account password, and we suggest that you do not use the same password on other digital platforms.

We recognise that this is unsettling news and we are deeply sorry for any inconvenience this might cause you. The security and privacy of our customers is of utmost importance to us, and we commit to taking all the steps we can to minimize the risk of a similar incident occurring again in the future.

Thank you
Team ShopBack

FAQs In This Post

How do I close my account?
See this 'How To' link.

How long will it take to close/delete/deactivate? Can I recover my account?
It will take us up to 48 hours to close/deactivate/delete your account after receiving your request. We will not be able to reinstate/restore or retrieve any information (this includes cashbacks associated with the account).

Can I still get my cashback after closing my account? What about pending cashbacks?
In order to ensure that you receive your cashback, you will need to request for a cashout and confirm that you have received it before submitting a request to close/delete/deactivate your account. Cashbacks that have not been confirmed will not be able to be processed. You will not be able to cashout pending cashbacks after they become confirmed as we will not be able to track and link them to you once we have deleted all your information.

I'm not receiving the password reset emails
Our systems are processing the requests and the emails will get to users soon (update: email services have been restored and functioning normally). Alternatively, you can also reset your password by clicking on "Update Password" under https://app.shopback.com/account.

General Discussion

Related Stores

ShopBack AU
ShopBack AU
Third-Party

Comments

    • db87 on 26/09/2020 - 12:42
      +5

      Surely these reports are just to cover the banks behind.

      Other than monitoring your account and having 2fa, you should be on top of outgoings if you're diligent with your accounts.

      Then the rest is on the banks to insure your money.

      • evanjd on 26/09/2020 - 12:51

        Sure, but if the risk of fraud is real/non-trivial, I'd rather preempt it then react to it.

        • db87 on 26/09/2020 - 13:40
          +2

          Oh of course, cover your arse. My point is that we're no more vulnerable than we already are with every other service we utilise.

    • nosrad on 26/09/2020 - 12:47

      My bank (Westpac) advised the same.

      • Dealhunter967671 on 26/09/2020 - 13:27
        +3

        My bank advised me of the risk of direct debit requests, but they can cancel, reverse and block it the next day - and that particular company who requested would be blocked going forward.

        Minimal risk - but they have flagged and reported on their systems for me.

        • nosrad on 26/09/2020 - 13:30

          Only if you check the transactions on your account every day, which is not something I normally do. So they advised me to get a new account number.

          • db87 on 26/09/2020 - 13:42
            +2

            @nosrad: I get paid weekly and zero the credit card(s) at least twice a week.

            I usually browse through expenses at this time. I think my weekly pay lent to me taking this approach but it's definitely helped keep track of finances without micro managing our finances too much.

            If you have a rough idea of expenses, any odd "purchases" usually stand out pretty quickly if you're not a regular material spender. Even then, I usually know when my wife or I have bought something out of the ordinary.

            • nosrad on 26/09/2020 - 13:47

              @db87: Good advice. However, the difficulty is not to spot odd purchases. These purchases need to be spotted very quickly for the bank to be able to stop it in time. I normally only check my transaction account once every 1-2 weeks, and by the time I spot any odd transactions, some 7 days might have already passed, and the bank won't be able to stop the transaction any more.

            • spaceflight on 28/09/2020 - 09:28

              @db87:

              zero the credit card(s) at least twice a week.

              Why?
              That defeats the purpose of a credit card

          • Edeena on 26/09/2020 - 14:00

            @nosrad: I have my bank details on SB, it's not my main bank and usually only have under $10 balance so I'm not worried. Also the bank sends me app notifications for every withdrawal and deposit on the account, I would know of any unauthorised transaction on it straight away and call the bank to have the direct debit reverse if it happens.

            • nosrad on 26/09/2020 - 14:02
              +1

              @Edeena: Yeah, Commbank (I assume) is amazing with a notification for every transaction. Unfortunately, Westpac does not offer a similar feature :(

            • annarchon on 26/09/2020 - 14:05

              @Edeena: Yeah, people should always set up a special account for online use, or multiple accounts for specific purposes.

              There are so many free accounts out there, ING, Citi, NAB, HSBC etc etc etc, and with osko you can easily move money around as needed, and transfer in right before you make a purchase.

            • db87 on 26/09/2020 - 14:16

              @Edeena: This. I forgot about the notifications but I also have this enabled on my account.

              You may not stop them but my main point is that your funds are insured anyway. The banks don't require much information to prove that they weren't authorised by you and the turn around is usually pretty quick to get your funds back.

              I can appreciate this isn't ideal for people with limited funds, but it's a problem I've yet to encounter even when finances have been tight.

          • tdw on 26/09/2020 - 15:11

            @nosrad: i check daily all the bank and credit card accounts i use, sometimes a few times a day if i'm waiting on a payment. mainly to cross-check with what i've got in spreadsheets. but also i find that regularly logging in means i won't forget my login details.

    • Make it so on 26/09/2020 - 12:56

      I phoned up Bankwest, and she was adamant there is absolutely nothing they can do with just my bank account number except deposit into it. I asked about direct debit, but she said there would have to be a form signed for that.

      I dunno, I thought people can just provide an account number to an ISP or whatever, but she seemed pretty confident.

      • evanjd on 26/09/2020 - 13:05
        +1

        It might depend on the merchant? I just checked Optus and there's nothing stopping me from entering any BSB or account number into their form:

        https://imgur.com/gWqnS5T

        • annarchon on 26/09/2020 - 13:33
          +2

          The merchant will then be (profanity) if they are caught not doing the paperwork.

          Think of it as a credit card terminal, except only the merchant can authorise the charge and no one else to blame, they can't just go xyz gave us a fake card and we didn't know!

          In the case of optus, look at that tick box, thats where it puts the blame/responsibility on to you, and because you have an account with them they know who you are.

          • evanjd on 26/09/2020 - 13:56

            @annarchon:

            In the case of optus, look at that tick box, thats where it puts the blame/responsibility on to you

            Thanks, that's a good point. I had to supply all sorts of ID to open the account, so it makes sense that setting up direct debit would be simpler since any fraud could easily be traced to me.

        • skido on 26/09/2020 - 13:52

          same with PayPal - they can debit straight using your bank account details

          • evanjd on 26/09/2020 - 13:53
            +1

            @skido: Did that change? Paypal made a few small transactions into my account and had me verify the amount of each transaction before I can use the account for direct debits.

            • skido on 26/09/2020 - 13:57

              @evanjd: don't think so, it's always been like this.. I'm able to make payments using my bank details anytime after initial verification.

              • evanjd on 26/09/2020 - 13:58
                +1

                @skido: No, I mean the ability to direct debit accounts without verification. The verification I went through for Paypal would've thwarted any abuse.

                • skido on 26/09/2020 - 14:02

                  @evanjd: then I'm not too sure. though as you pointed out before, if Optus can do it with a simple tick box as "verification", then other merchants can probably also do that?

                  • annarchon on 26/09/2020 - 14:15
                    +1

                    @skido: They only have that because they know who the phone account holder / the benefactor of the payment is. If the bank account holder reverses the direct debit, Optus can just go after the phone account holder, bank holder get their money back, phone holder gets screwed because they used a fake account for their payment.

                    Paypal is vastly more complicated, and thus require more verification.

                • machej on 26/09/2020 - 14:12

                  @evanjd: @evanjd Yep, you're right but some companies like Lattitude Financial don't do this so I think PayPal does it as a safeguard.

            • CalmLemons on 26/09/2020 - 18:24

              @evanjd: No it didn't change. You need to verify your account before they can link it. Banks now also alert you when paypal does so to prevent fraud.

              E.g., when I linked a savings account to Paypal, my bank sent me notifications asking whether I'm trying to link up a Paypal account.

  • Jugganautx on 26/09/2020 - 12:21
    -1

    Lmao you screwed up multiple posts.

  • [Deactivated] on 26/09/2020 - 12:22

    Just uninstalled, (ノ`⌒´)ノ┫:・┻┻ the service was nothing I ever expected.

  • Heaps for Cheaps on 26/09/2020 - 12:26
    +1

    Unfortunately for SB, lots of people have lots of time so will put more effort into trying to unlock the achievement of closing them down.

  • PinzVidz on 26/09/2020 - 12:28
    +9

    No mention of this breach on the front page of your website, rep? Flapping slack.

    • nickj on 26/09/2020 - 14:38
      +9

      Exactly what I thought too. There should be a great big banner across https://www.shopback.com.au/ saying "Data breach notification", which if you click on it gives the disclosure notification. Same for the app - if you can send app notifications for deals or specials, you can certainly send a notification of a major data breach of your customer's information. Not doing this speaks to wanting to obscure or hide to issue, just as sending out the email a week after the fact at 10 PM on a Friday night does, and all these actions/lack-of-action are disrespectful to your customers and show a failure to take this issue seriously.

  • Jolakot on 26/09/2020 - 12:33
    +1

    I signed in/up with Facebook and have never given them my phone number/details other than name and email.

    What do they have on me?

    • Store Repgotyourback @ ShopBack AU on 26/09/2020 - 13:23

      Apart from your email addresses (or alternative login IDs) and limited transactional information ShopBack does not require you to provide information to us that is not related to our specific services or campaigns. As a result, we do not have additional data that you had not provided directly to us. Types of data that you may have provided to us could include your:

      • Name
      • Contact information
      • Gender
      • Date of birth
      • Bank account numbers (for customers who withdraw to their bank accounts)

      While bank account numbers do not permit third parties direct access to your bank accounts, users who have provided us with their bank account numbers should be watchful for potential phishing attacks.

      Please reach out to [email protected] and we can confirm what information we have from you.

      • nickj on 26/09/2020 - 14:41

        Direct question: If someone signed up via Facebook, and had the real DOB in Facebook, do you know their real DOB? Because if yes, then presumably the hackers have that too now.

        • Store Repgotyourback @ ShopBack AU on 26/09/2020 - 15:06

          Hi, we do not extract DOB from Facebook.

  • yacman on 26/09/2020 - 12:40

    I had a suspicious transcation on a debit card I rarely use 2 days ago, I don't belive shopback ever would have gotten hold of this particular card but it seems with lockdowns there are more hackers and scammers out there.

    • whooah1979 on 26/09/2020 - 12:44
      +2

      ShopBack doesn’t have access to the payment gateway.

  • evanjd on 26/09/2020 - 12:45
    +16

    Ha, I e-mailed shopback asking them to close + delete my details, they replied with:

    Upon receiving updates from our relevant team, your request to delete your data in our system has been approved.

    That said, your ShopBack account along with all your information has been successfully deleted

    But I can still login! All my details are still there! Ugh.

    • db87 on 26/09/2020 - 12:47
      +9

      Wow. slow clap

      What a joke of a company.

      I'm not concerned about my data or my finances. I generally weather spam calls and emails well and just flag them as they come and my accounts have been fine the whole time.

      It's just a massive cop-out that SB can do a PSA and then completely disregard any further incoming mail. I wouldn't be surprised if their response wasn't auto-generated like the rest of their generic replies in this thread.

    • Store Repgotyourback @ ShopBack AU on 26/09/2020 - 14:19

      Our systems are processing the requests, please allow us some time for this to happen.

      • evanjd on 26/09/2020 - 14:38
        +7

        That's fine, but can I suggest you say that instead of "all your information has been successfully deleted" when responding to deletion requests?

        • bazingaa on 26/09/2020 - 22:01

          Can you still login or account now deleted ?

          • evanjd on 27/09/2020 - 14:12

            @bazingaa: Just checked, my account's now inactive.

  • nepalesesquirrel on 26/09/2020 - 12:59
    +1

    Had account for 2 years, $700+ in account. Went to check my personal details, and there was nothing there, other than an unverified email, probably due to never withdrawing money.

    • skido on 26/09/2020 - 13:18
      +1

      they expire after a year. suggest you withdraw immediately after cashback confirmed

    • nexus4 on 26/09/2020 - 13:19
      +10

      Why would you let $700 sit in the account? If they go broke the money is gone

      • nepalesesquirrel on 26/09/2020 - 13:23
        -3

        Bonus money anyway.

        • nexus4 on 26/09/2020 - 13:40
          +7

          Money is money

        • Quantumcat on 26/09/2020 - 13:48
          +5

          It isn't really bonus money if you only bought something because of the cashback making it cheaper

          • nepalesesquirrel on 26/09/2020 - 13:55

            @Quantumcat: Totally get that and agree, I guess more throw away line. I trust that it will be there when I want it. So far so good!

    • nosrad on 26/09/2020 - 13:19
      +1

      And you may lose it if/when SB shuts down.

  • justwii on 26/09/2020 - 13:11
    +1

    The is exactly why I always fake my personal details when signing up casual sites online.

    • FrugalNotStingy on 26/09/2020 - 14:05
      +4

      Well I wasn’t comfortable to provide my real name to SB but I thought they needed to cross check bank account name when it’s comes to cash out time. It’s too late but I wish I used PayPal instead.

      • capslock janitor on 26/09/2020 - 19:49
        -1

        How do use PP instead?

        • FrugalNotStingy on 26/09/2020 - 19:56

          Use PP to cashout. Too late as I chose to use a bank account.

          • capslock janitor on 26/09/2020 - 22:43

            @FrugalNotStingy: Cheers, any fees from PP to Bank you know of?

            • FrugalNotStingy on 27/09/2020 - 12:54
              +1

              @capslock janitor: Nah, no fees charged when you transfer the funds from your PP balance to the bank account that you linked to your PP account.

              • capslock janitor on 27/09/2020 - 15:07
                -1

                @FrugalNotStingy: I'm confused with the 'Paypal eWallet Transfer" -> "Add an e-Wallet"

                what's "Paypal Account name"??

                Never done it before so excuse me.

                • FrugalNotStingy on 27/09/2020 - 16:53

                  @capslock janitor: PayPal account name is the account name of your PayPal. Which is the email you use to associate with your PayPal account.

  • limucat on 26/09/2020 - 13:39
    +1

    So, do I have to worry about cashrewards as well?

    • WoodYouLikeSomeCash on 26/09/2020 - 13:47

      Cashrewards haven’t been hacked but if you use the same password for cashrewards as you do for shopback then you should change them.

      • [Deactivated] on 26/09/2020 - 14:00
        +4

        Cashrewards haven’t been hacked

        Yet…

        • tessel on 26/09/2020 - 14:45
          +2

          That we know of ;)

        • Make it so on 26/09/2020 - 14:48
          -8

          If you look closely at how Cashrewards operates and communicates, you will notice a distinct difference with Shopback. Cashrewards has its affairs in order - I'm not remotely worried.

          • reactor-au on 26/09/2020 - 17:23
            +1

            @Make it so: I bet no one WAS worried about SB either otherwise they would not have been using it.

          • dcep on 26/09/2020 - 17:31
            +1

            @Make it so: Yeah, i never thought Intel would get hacked too

      • CalmLemons on 26/09/2020 - 18:26

        Would think 95% of the people on this site do that lol.

  • ironworthy on 26/09/2020 - 13:44
    -2

    How do I reset password. both the app and website are so user unfriendly

    • virhlpool on 26/09/2020 - 14:13
      +7

      It's fairly easy - I don't think it's confusing at all.

      Website -> Login -> Move cursor over profile tab in the top right corner (where it shows cashback amount) -> Click 'Account Information' in drop-down menu -> Click 'Update Password' on left hand side menu.

      OR

      App -> Account (on the right side at the bottom) -> Scroll down to 'Account Settings' -> Click 'Update Password' [I don't think it can get any simpler or more obvious]

      You need to update password at any one place obviously as both (website and app) use the same password.

  • sim777 on 26/09/2020 - 15:17
    +1

    Have emailed to terminate my account

  • happydude on 26/09/2020 - 15:18
    +6

    https://haveibeenpwned.com/

    I'm currently on 7 data breaches. I imagine this will be number 8.

    I wonder if I get a bonus or prize on my 10th one?

    • CyberMurning on 26/09/2020 - 15:30

      Mine…

      Oh no — pwned!
      Pwned on 15 breached sites and found 4 pastes (subscribe to search sensitive breaches)

      • SnoozeAndLose on 26/09/2020 - 18:56

        Which site?

        Is Woolworths gift card one of those?

    • Unorthodox on 26/09/2020 - 18:33

      my email didnt show up on that despite having an acc with SB

      • happydude on 26/09/2020 - 18:34
        +3

        SB ain’t on there yet

        • capslock janitor on 26/09/2020 - 19:50
          -2

          when will

          • FrugalNotStingy on 26/09/2020 - 20:02
            +1

            @capslock janitor: When Troy Hunt & Co. learn of this breach and have access to the leaked data.

            • Last Seen on 26/09/2020 - 21:44

              @FrugalNotStingy: They're aware of the breach but I believe that's the extent

              • [Deactivated] on 26/09/2020 - 22:37

                @Last Seen: I bought a copy of the SB DB just to check if Troy Hunt was in there…

                • Last Seen on 27/09/2020 - 07:59

                  @[Deactivated]: I wonder if he's a member of ozbargain…

                  • [Deactivated] on 27/09/2020 - 08:27

                    @Last Seen: Nekminnit: email from OZB with subject prefixed with [Important] sent at 10PM AEST on a Friday…

                    • Last Seen on 27/09/2020 - 11:10
                      +1

                      @[Deactivated]: It would be terrible if our referral codes were leaked! :P

                      • [Deactivated] on 27/09/2020 - 12:19

                        @Last Seen: Yeah I’m reasonably sure there’s actually lots of metadata they’re collecting based on some thing that’s happened with my account.

    • callum9999 on 26/09/2020 - 19:30
      +1

      Exactly why I've been saying this is unlikely to be a big deal.

      The amount of panic is incredibly bizarre - I thought most users here would be at least vaguely tech savvy so be familiar with this being commonplace!

  • Buddy195 on 26/09/2020 - 15:37

    So what was stolen then I should close my account for? Surely a change of password and all is well.

    • Store Repgotyourback @ ShopBack AU on 26/09/2020 - 15:52

      Please reach out to [email protected] and our team will gladly help out with this.

      As a further security measure, we still encourage you to reset your password via https://www.shopback.com.au/forgot?b=1 ) and to further protect your account by adding your mobile number if you have not already done so.

      • cheaponos on 26/09/2020 - 20:52

        So exactly what personal data has been exposed in the hack?

      • haemolysis on 26/09/2020 - 21:01
        +3

        ADDING your mobile… not removing it? Oh dear. Not a good request for a company with a data breach.

  • Ash-Say on 26/09/2020 - 15:41
    +1

    I have been receiving call from +00000 since yesterday. I never received anything similar before.

    WTF!!

    • CalmLemons on 26/09/2020 - 18:26
      +1

      There has been a huge surge of hacks and spam calls since the whole world is in lockdown and scammers are trying to take advantage of people.

      I've actually had no spam calls recently lol.

  • Ononono on 26/09/2020 - 15:55
    +2

    Want to close my account but still have $220 in pending earnings, huge PITA

    • [Deactivated] on 26/09/2020 - 18:10
      +1

      If you become the victim of an identity takeover, that PITA $220 will be the least of your worries. 😦

      • lbft on 26/09/2020 - 19:36
        +6

        The horse has bolted, closing the account won't change the data that's already in the attacker's hands.

  • chriise on 26/09/2020 - 16:14
    +8

    Why would you notify customers of this on a Friday night.. wtf are you playing at?? And set up a button in the account settings to let people close their account.

Login or Join to leave a comment
Login Join