ShopBack Data Breach

13 Nov 2020 (Update)

Several hours ago, we became aware that a party has made available online our customers’ data, which was taken during the unauthorised access to our systems back in September.

We are acutely aware that this may cause you further inconvenience and are deeply sorry for this. As mentioned in our previous communications to customers, your cashback is safe, and your passwords are hashed with a unique and dynamic salt. This data does not contain any credit card details, and ShopBack does not store your 16-digit card number or CVV on any of our systems.

We want to reassure you that we have further enhanced our security measures since September; taking the following steps:

  1. We have verified the removal of unauthorised access and ensured that our systems are now in line with intended configurations.
  2. We have further improved the storage of our unique salted passwords by encrypting using a separately stored 'pepper'.
  3. We have partnered with Crowdstrike, a world-class endpoint security and threat intelligence platform, to monitor for suspicious activity across all our systems.

In the coming days as a precautionary measure, we will be triggering a forced logout and password reset of customers’ ShopBack accounts.

We have also rolled out a self deletion feature on our site to give our customers the ability to delete their accounts quickly and easily themselves without the need to contact ShopBack. See this how to link to self delete your account. We can also continue to assist customers with deleting an account if this is their preference.

Meanwhile, our investigation is still ongoing and we continue to cooperate with the Office of the Australian Information Commissioner.

We thank you for your continued support and we will continue to release further updates. Please reach out to [email protected] if we can help out at all.


26 Sep 2020

Hi guys,

We know the trust you place in us to safeguard your personal information which is why we’re proactively writing this up. A few days ago, we became aware of an incident involving unauthorised access to our systems which contained our customers’ personal data. We are currently confirming which data has been compromised.

As soon as we became aware of the issue, the unauthorised access was removed. We immediately initiated an investigation and engaged leading cyber security specialists to assess the extent of the incident and to further enhance our security measures. We are also collaborating with relevant authorities.

To date, we have no reason to believe that any of your personal data has been misused, however the possibility still exists. What we can assure you of is that your cashback is safe, we do not collect credit card details, and your ShopBack account password is protected by encryption.

You may continue to access your ShopBack account and use our services as business operations have not been affected by the incident.

We understand that this incident might raise some questions for you, and in this regard, we have established a dedicated email address, [email protected], if you would like to contact us. Please also refer to the customer FAQ on our website which has further details.

While your password is encrypted, you may wish to change your ShopBack account password, and we suggest that you do not use the same password on other digital platforms.

We recognise that this is unsettling news and we are deeply sorry for any inconvenience this might cause you. The security and privacy of our customers is of utmost importance to us, and we commit to taking all the steps we can to minimize the risk of a similar incident occurring again in the future.

Thank you
Team ShopBack


FAQs In This Post

How do I close my account?
See this 'How To' link.

How long will it take to close/delete/deactivate? Can I recover my account?
It will take us up to 48 hours to close/deactivate/delete your account after receiving your request. We will not be able to reinstate/restore or retrieve any information (this includes cashbacks associated with the account).

Can I still get my cashback after closing my account? What about pending cashbacks?
In order to ensure that you receive your cashback, you will need to request for a cashout and confirm that you have received it before submitting a request to close/delete/deactivate your account. Cashbacks that have not been confirmed will not be able to be processed. You will not be able to cashout pending cashbacks after they become confirmed as we will not be able to track and link them to you once we have deleted all your information.

I'm not receiving the password reset emails
Our systems are processing the requests and the emails will get to users soon (update: email services have been restored and functioning normally). Alternatively, you can also reset your password by clicking on "Update Password" under https://app.shopback.com/account.

Related Stores

ShopBack AU
ShopBack AU
Marketplace

Comments

    • +5 votes

      Surely these reports are just to cover the banks behind.

      Other than monitoring your account and having 2fa, you should be on top of outgoings if you're diligent with your accounts.

      Then the rest is on the banks to insure your money.

      •  

        Sure, but if the risk of fraud is real/non-trivial, I'd rather preempt it then react to it.

        • +2 votes

          Oh of course, cover your arse. My point is that we're no more vulnerable than we already are with every other service we utilise.

    •  

      My bank (Westpac) advised the same.

      • +3 votes

        My bank advised me of the risk of direct debit requests, but they can cancel, reverse and block it the next day - and that particular company who requested would be blocked going forward.

        Minimal risk - but they have flagged and reported on their systems for me.

        •  

          Only if you check the transactions on your account every day, which is not something I normally do. So they advised me to get a new account number.

          • +2 votes

            @nosrad: I get paid weekly and zero the credit card(s) at least twice a week.

            I usually browse through expenses at this time. I think my weekly pay lent to me taking this approach but it's definitely helped keep track of finances without micro managing our finances too much.

            If you have a rough idea of expenses, any odd "purchases" usually stand out pretty quickly if you're not a regular material spender. Even then, I usually know when my wife or I have bought something out of the ordinary.

            •  

              @db87: Good advice. However, the difficulty is not to spot odd purchases. These purchases need to be spotted very quickly for the bank to be able to stop it in time. I normally only check my transaction account once every 1-2 weeks, and by the time I spot any odd transactions, some 7 days might have already passed, and the bank won't be able to stop the transaction any more.

            •  

              @db87:

              zero the credit card(s) at least twice a week.

              Why?
              That defeats the purpose of a credit card

          •  

            @nosrad: I have my bank details on SB, it's not my main bank and usually only have under $10 balance so I'm not worried. Also the bank sends me app notifications for every withdrawal and deposit on the account, I would know of any unauthorised transaction on it straight away and call the bank to have the direct debit reverse if it happens.

            • +1 vote

              @Edeena: Yeah, Commbank (I assume) is amazing with a notification for every transaction. Unfortunately, Westpac does not offer a similar feature :(

            •  

              @Edeena: Yeah, people should always set up a special account for online use, or multiple accounts for specific purposes.

              There are so many free accounts out there, ING, Citi, NAB, HSBC etc etc etc, and with osko you can easily move money around as needed, and transfer in right before you make a purchase.

            •  

              @Edeena: This. I forgot about the notifications but I also have this enabled on my account.

              You may not stop them but my main point is that your funds are insured anyway. The banks don't require much information to prove that they weren't authorised by you and the turn around is usually pretty quick to get your funds back.

              I can appreciate this isn't ideal for people with limited funds, but it's a problem I've yet to encounter even when finances have been tight.

          •  

            @nosrad: i check daily all the bank and credit card accounts i use, sometimes a few times a day if i'm waiting on a payment. mainly to cross-check with what i've got in spreadsheets. but also i find that regularly logging in means i won't forget my login details.

    •  

      I phoned up Bankwest, and she was adamant there is absolutely nothing they can do with just my bank account number except deposit into it. I asked about direct debit, but she said there would have to be a form signed for that.

      I dunno, I thought people can just provide an account number to an ISP or whatever, but she seemed pretty confident.

      • +1 vote

        It might depend on the merchant? I just checked Optus and there's nothing stopping me from entering any BSB or account number into their form:

        https://imgur.com/gWqnS5T

        • +2 votes

          The merchant will then be (profanity) if they are caught not doing the paperwork.

          Think of it as a credit card terminal, except only the merchant can authorise the charge and no one else to blame, they can't just go xyz gave us a fake card and we didn't know!

          In the case of optus, look at that tick box, thats where it puts the blame/responsibility on to you, and because you have an account with them they know who you are.

          •  

            @annarchon:

            In the case of optus, look at that tick box, thats where it puts the blame/responsibility on to you

            Thanks, that's a good point. I had to supply all sorts of ID to open the account, so it makes sense that setting up direct debit would be simpler since any fraud could easily be traced to me.

        •  

          same with PayPal - they can debit straight using your bank account details

          • +1 vote

            @skido: Did that change? Paypal made a few small transactions into my account and had me verify the amount of each transaction before I can use the account for direct debits.

            •  

              @evanjd: don't think so, it's always been like this.. I'm able to make payments using my bank details anytime after initial verification.

              • +1 vote

                @skido: No, I mean the ability to direct debit accounts without verification. The verification I went through for Paypal would've thwarted any abuse.

                •  

                  @evanjd: then I'm not too sure. though as you pointed out before, if Optus can do it with a simple tick box as "verification", then other merchants can probably also do that?

                  • +1 vote

                    @skido: They only have that because they know who the phone account holder / the benefactor of the payment is. If the bank account holder reverses the direct debit, Optus can just go after the phone account holder, bank holder get their money back, phone holder gets screwed because they used a fake account for their payment.

                    Paypal is vastly more complicated, and thus require more verification.

                •  

                  @evanjd: @evanjd Yep, you're right but some companies like Lattitude Financial don't do this so I think PayPal does it as a safeguard.

            •  

              @evanjd: No it didn't change. You need to verify your account before they can link it. Banks now also alert you when paypal does so to prevent fraud.

              E.g., when I linked a savings account to Paypal, my bank sent me notifications asking whether I'm trying to link up a Paypal account.

  • -1 vote

    Lmao you screwed up multiple posts.

  •  

    Just uninstalled, (ノ`⌒´)ノ┫:・┻┻ the service was nothing I ever expected.

  • +1 vote

    Unfortunately for SB, lots of people have lots of time so will put more effort into trying to unlock the achievement of closing them down.

  • +9 votes

    No mention of this breach on the front page of your website, rep? Flapping slack.

    • +9 votes

      Exactly what I thought too. There should be a great big banner across https://www.shopback.com.au/ saying "Data breach notification", which if you click on it gives the disclosure notification. Same for the app - if you can send app notifications for deals or specials, you can certainly send a notification of a major data breach of your customer's information. Not doing this speaks to wanting to obscure or hide to issue, just as sending out the email a week after the fact at 10 PM on a Friday night does, and all these actions/lack-of-action are disrespectful to your customers and show a failure to take this issue seriously.

  • +1 vote

    I signed in/up with Facebook and have never given them my phone number/details other than name and email.

    What do they have on me?

    •  

      Apart from your email addresses (or alternative login IDs) and limited transactional information ShopBack does not require you to provide information to us that is not related to our specific services or campaigns. As a result, we do not have additional data that you had not provided directly to us. Types of data that you may have provided to us could include your:

      • Name
      • Contact information
      • Gender
      • Date of birth
      • Bank account numbers (for customers who withdraw to their bank accounts)

      While bank account numbers do not permit third parties direct access to your bank accounts, users who have provided us with their bank account numbers should be watchful for potential phishing attacks.

      Please reach out to [email protected] and we can confirm what information we have from you.

      •  

        Direct question: If someone signed up via Facebook, and had the real DOB in Facebook, do you know their real DOB? Because if yes, then presumably the hackers have that too now.

        •  

          Hi, we do not extract DOB from Facebook.

  •  

    I had a suspicious transcation on a debit card I rarely use 2 days ago, I don't belive shopback ever would have gotten hold of this particular card but it seems with lockdowns there are more hackers and scammers out there.

    • +2 votes

      ShopBack doesn’t have access to the payment gateway.

  • +16 votes

    Ha, I e-mailed shopback asking them to close + delete my details, they replied with:

    Upon receiving updates from our relevant team, your request to delete your data in our system has been approved.

    That said, your ShopBack account along with all your information has been successfully deleted

    But I can still login! All my details are still there! Ugh.

    • +9 votes

      Wow. slow clap

      What a joke of a company.

      I'm not concerned about my data or my finances. I generally weather spam calls and emails well and just flag them as they come and my accounts have been fine the whole time.

      It's just a massive cop-out that SB can do a PSA and then completely disregard any further incoming mail. I wouldn't be surprised if their response wasn't auto-generated like the rest of their generic replies in this thread.

    •  

      Our systems are processing the requests, please allow us some time for this to happen.

      • +7 votes

        That's fine, but can I suggest you say that instead of "all your information has been successfully deleted" when responding to deletion requests?

        •  

          Can you still login or account now deleted ?

          •  

            @bazingaa: Just checked, my account's now inactive.

  • +1 vote

    Had account for 2 years, $700+ in account. Went to check my personal details, and there was nothing there, other than an unverified email, probably due to never withdrawing money.

    • +1 vote

      they expire after a year. suggest you withdraw immediately after cashback confirmed

      • -1 vote

        What expires after a year? Personal details?

    • +10 votes

      Why would you let $700 sit in the account? If they go broke the money is gone

      • -3 votes

        Bonus money anyway.

        • +7 votes

          Money is money

        • +5 votes

          It isn't really bonus money if you only bought something because of the cashback making it cheaper

          •  

            @Quantumcat: Totally get that and agree, I guess more throw away line. I trust that it will be there when I want it. So far so good!

    • +1 vote

      And you may lose it if/when SB shuts down.

  • +1 vote

    The is exactly why I always fake my personal details when signing up casual sites online.

    • +4 votes

      Well I wasn’t comfortable to provide my real name to SB but I thought they needed to cross check bank account name when it’s comes to cash out time. It’s too late but I wish I used PayPal instead.

      • -1 vote

        How do use PP instead?

        •  

          Use PP to cashout. Too late as I chose to use a bank account.

          •  

            @FrugalNotStingy: Cheers, any fees from PP to Bank you know of?

            • +1 vote

              @capslock janitor: Nah, no fees charged when you transfer the funds from your PP balance to the bank account that you linked to your PP account.

              • -1 vote

                @FrugalNotStingy: I'm confused with the 'Paypal eWallet Transfer" -> "Add an e-Wallet"

                what's "Paypal Account name"??

                Never done it before so excuse me.

                •  

                  @capslock janitor: PayPal account name is the account name of your PayPal. Which is the email you use to associate with your PayPal account.

  • +1 vote

    So, do I have to worry about cashrewards as well?

    •  

      Cashrewards haven’t been hacked but if you use the same password for cashrewards as you do for shopback then you should change them.

      • +4 votes

        Cashrewards haven’t been hacked

        Yet…

        • +2 votes

          That we know of ;)

        • -8 votes

          If you look closely at how Cashrewards operates and communicates, you will notice a distinct difference with Shopback. Cashrewards has its affairs in order - I'm not remotely worried.

          • +1 vote

            @Make it so: I bet no one WAS worried about SB either otherwise they would not have been using it.

          • +1 vote

            @Make it so: Yeah, i never thought Intel would get hacked too

      •  

        Would think 95% of the people on this site do that lol.

  • -2 votes

    How do I reset password. both the app and website are so user unfriendly

    • +7 votes

      It's fairly easy - I don't think it's confusing at all.

      Website -> Login -> Move cursor over profile tab in the top right corner (where it shows cashback amount) -> Click 'Account Information' in drop-down menu -> Click 'Update Password' on left hand side menu.

      OR

      App -> Account (on the right side at the bottom) -> Scroll down to 'Account Settings' -> Click 'Update Password' [I don't think it can get any simpler or more obvious]

      You need to update password at any one place obviously as both (website and app) use the same password.

  • +1 vote

    Have emailed to terminate my account

  • +6 votes

    https://haveibeenpwned.com/

    I'm currently on 7 data breaches. I imagine this will be number 8.

    I wonder if I get a bonus or prize on my 10th one?

    •  

      Mine…

      Oh no — pwned!
      Pwned on 15 breached sites and found 4 pastes (subscribe to search sensitive breaches)

      •  

        Which site?

        Is Woolworths gift card one of those?

    •  

      my email didnt show up on that despite having an acc with SB

      • +3 votes

        SB ain’t on there yet

        • -2 votes

          when will

          • +1 vote

            @capslock janitor: When Troy Hunt & Co. learn of this breach and have access to the leaked data.

            •  

              @FrugalNotStingy: They're aware of the breach but I believe that's the extent

              •  

                @Last Seen: I bought a copy of the SB DB just to check if Troy Hunt was in there…

                •  

                  @sqeeksqeek: I wonder if he's a member of ozbargain…

                  •  

                    @Last Seen: Nekminnit: email from OZB with subject prefixed with [Important] sent at 10PM AEST on a Friday…

                    • +1 vote

                      @sqeeksqeek: It would be terrible if our referral codes were leaked! :P

                      •  

                        @Last Seen: Yeah I’m reasonably sure there’s actually lots of metadata they’re collecting based on some thing that’s happened with my account.

    • +1 vote

      Exactly why I've been saying this is unlikely to be a big deal.

      The amount of panic is incredibly bizarre - I thought most users here would be at least vaguely tech savvy so be familiar with this being commonplace!

  •  

    So what was stolen then I should close my account for? Surely a change of password and all is well.

    •  

      Please reach out to [email protected] and our team will gladly help out with this.

      As a further security measure, we still encourage you to reset your password via https://www.shopback.com.au/forgot?b=1 ) and to further protect your account by adding your mobile number if you have not already done so.

      •  

        So exactly what personal data has been exposed in the hack?

      • +3 votes

        ADDING your mobile… not removing it? Oh dear. Not a good request for a company with a data breach.

  • +1 vote

    I have been receiving call from +00000 since yesterday. I never received anything similar before.

    WTF!!

    • +1 vote

      There has been a huge surge of hacks and spam calls since the whole world is in lockdown and scammers are trying to take advantage of people.

      I've actually had no spam calls recently lol.

  • +2 votes

    Want to close my account but still have $220 in pending earnings, huge PITA

    • +1 vote

      If you become the victim of an identity takeover, that PITA $220 will be the least of your worries. 😦

      • +6 votes

        The horse has bolted, closing the account won't change the data that's already in the attacker's hands.

  • +8 votes

    Why would you notify customers of this on a Friday night.. wtf are you playing at?? And set up a button in the account settings to let people close their account.