ShopBack Data Breach

Store Repgotyourback @ ShopBack AU on 25/09/2020 - 22:13
Last edited 25/04/2021 - 18:37 by 4 other users

13 Nov 2020 (Update)

Several hours ago, we became aware that a party has made available online our customers’ data, which was taken during the unauthorised access to our systems back in September.

We are acutely aware that this may cause you further inconvenience and are deeply sorry for this. As mentioned in our previous communications to customers, your cashback is safe, and your passwords are hashed with a unique and dynamic salt. This data does not contain any credit card details, and ShopBack does not store your 16-digit card number or CVV on any of our systems.

We want to reassure you that we have further enhanced our security measures since September; taking the following steps:

  1. We have verified the removal of unauthorised access and ensured that our systems are now in line with intended configurations.
  2. We have further improved the storage of our unique salted passwords by encrypting using a separately stored 'pepper'.
  3. We have partnered with Crowdstrike, a world-class endpoint security and threat intelligence platform, to monitor for suspicious activity across all our systems.

In the coming days as a precautionary measure, we will be triggering a forced logout and password reset of customers’ ShopBack accounts.

We have also rolled out a self deletion feature on our site to give our customers the ability to delete their accounts quickly and easily themselves without the need to contact ShopBack. See this how to link to self delete your account. We can also continue to assist customers with deleting an account if this is their preference.

Meanwhile, our investigation is still ongoing and we continue to cooperate with the Office of the Australian Information Commissioner.

We thank you for your continued support and we will continue to release further updates. Please reach out to [email protected] if we can help out at all.

26 Sep 2020

Hi guys,

We know the trust you place in us to safeguard your personal information which is why we’re proactively writing this up. A few days ago, we became aware of an incident involving unauthorised access to our systems which contained our customers’ personal data. We are currently confirming which data has been compromised.

As soon as we became aware of the issue, the unauthorised access was removed. We immediately initiated an investigation and engaged leading cyber security specialists to assess the extent of the incident and to further enhance our security measures. We are also collaborating with relevant authorities.

To date, we have no reason to believe that any of your personal data has been misused, however the possibility still exists. What we can assure you of is that your cashback is safe, we do not collect credit card details, and your ShopBack account password is protected by encryption.

You may continue to access your ShopBack account and use our services as business operations have not been affected by the incident.

We understand that this incident might raise some questions for you, and in this regard, we have established a dedicated email address, [email protected], if you would like to contact us. Please also refer to the customer FAQ on our website which has further details.

While your password is encrypted, you may wish to change your ShopBack account password, and we suggest that you do not use the same password on other digital platforms.

We recognise that this is unsettling news and we are deeply sorry for any inconvenience this might cause you. The security and privacy of our customers is of utmost importance to us, and we commit to taking all the steps we can to minimize the risk of a similar incident occurring again in the future.

Thank you
Team ShopBack

FAQs In This Post

How do I close my account?
See this 'How To' link.

How long will it take to close/delete/deactivate? Can I recover my account?
It will take us up to 48 hours to close/deactivate/delete your account after receiving your request. We will not be able to reinstate/restore or retrieve any information (this includes cashbacks associated with the account).

Can I still get my cashback after closing my account? What about pending cashbacks?
In order to ensure that you receive your cashback, you will need to request for a cashout and confirm that you have received it before submitting a request to close/delete/deactivate your account. Cashbacks that have not been confirmed will not be able to be processed. You will not be able to cashout pending cashbacks after they become confirmed as we will not be able to track and link them to you once we have deleted all your information.

I'm not receiving the password reset emails
Our systems are processing the requests and the emails will get to users soon (update: email services have been restored and functioning normally). Alternatively, you can also reset your password by clicking on "Update Password" under https://app.shopback.com/account.

General Discussion

Related Stores

ShopBack AU
ShopBack AU
Third-Party

Comments

  • ass3ts on 26/09/2020 - 16:14
    +1

    Every time you spend $2 including delivery, guess what else you're 'paying' those sellers with.

  • rawm on 26/09/2020 - 17:22
    +3

    Damn guys, this sucks. The company's response seems like they have no clue how deep this breach was.

    For anyone who isn't a SB user, this is a true sigh of relief and a grabs popcorn moment.

    • callum9999 on 26/09/2020 - 19:28
      +1

      Which is exactly what you'd expect, and is exactly what happens in every data breach that gets announced.

      Its a whole lot more complicated than just looking at a log to see what happened.

  • amazonaddict on 26/09/2020 - 17:24
    +16

    Part 1: This is what normally happens People allow backdoors to their Databases to do migrations and analysis. (Some sort of API that would allow a specific group of users to download the whole database/users table as a file). Those doors have to be closed immediately after the use. But, sys admins become lazy and forget to remove those apis. Now an intern joins the team with a pirated PhotoShop application which already has a malware in it. Junior's activity is logged to the Hackers Server and hacker is alerted when a username password combination is detected.

    Part 2: How it is found. Admins monitor login activities at a scheduled time and review login activities and data transfer size. They notice an unscheduled activity, trace back the ip and report this to management. (Or, sometimes hackers contact the affected company to negotiate a deal. When the asked price is higher than company valuation, company decides to tell the users.)

    Part 3: What happens at the Hackers Hackers (Most probably Asian, sometimes East Europeans) sell the data at the Dark Web for very cheap price. More hackers and others eg buy them.

    The password hashes are fed into server farms, where random passwords generated using other details gained from your account are hashed and compared. Once they find a matching it is sold back at a higher price.

    You emails are used by Phishing Scammers, Marketers etc.

    Your DOB and Address will be used by another hacker to steal your identity. Your bank account details will be used when there is a chance to get a subscription.

    This has happened to Uber, Canva and many other famous companies. Not sure how these small companies can avoid this other than being more careful with data.

    • lockmc on 27/09/2020 - 19:11

      "Admins monitor login activities at a scheduled time and review login activities and data transfer size."

      Haha this is what should happen but never does

    • Zachary on 28/09/2020 - 03:50

      Part 2: How it is found. Admins monitor login activities at a scheduled time and review login activities and data transfer size. They notice an unscheduled activity, trace back the ip and report this to management. (Or, sometimes hackers contact the affected company to negotiate a deal. When the asked price is higher than company valuation, company decides to tell the users.)

      IS that what really happened or are you making it up?

      Now an intern joins the team with a pirated PhotoShop application which already has a malware in it.

      Thats why you dont pirate…..or check before using….

      • amazonaddict on 28/09/2020 - 09:07
        +1

        why would I make this up? I know a sys admin. They check for these things often.

        If you have read about Ubers hack story, they were contacted by the hackers. Not sure what the outcome was.

        Anyways, I actually did some clean up after a ransomware attack on a windows server for a small accounting firm. During that process I got to know there are companies that help you recover ( decrypt) the data. That means this happens very often. But, I am not sure if that accounting firm ever notified their customers. The sensitivity of data lost was more serious than shopback. Atleast I am grateful they had the courtesy to send us a mail ( unless the proprietor threatened to send a mail to every customer about the hack)

        • Zachary on 02/10/2020 - 18:35
          -1

          why would I make this up?

          Because…well this is the internet…and we type things to make ourselves feel good or high and mighty in some cases…

          If you have read about Ubers hack story, they were contacted by the hackers. Not sure what the outcome was.

          I thought uber wasn't exactly a company per se since they contract basically everyone so anyone who works for them is basically their own businesses…

          help you recover ( decrypt) the data

          I thought once your got ransomware, that was it for your data - no way to get it back unless you either pay the hacker or you've got a backup prior to that….

          • amazonaddict on 02/10/2020 - 19:28

            @Zachary: a) True. :)
            b) I think I listened to that story in business wars pod cast. I am not sure what you are talking about the company structure. Hackers got access to the user accounts ( drivers and users).
            c) If you google it, it seems certain type of ransomware attacks can be reversed. The incident i was trying to help was a failure when we approached these companies. They had a look at the files and then told they have 99% chance of recovering the files and requested to pay $4000 aud. The hackers demanded $10k usd as bitcoins for the decryption key. The account firm decided go ahead with this Australian company in Concord ( payam
            data recovery). But, after getting the money they said they could not do it and kept the $4000. ( I am not sure if thats a hoax company too. ) After that experience, the firm decided to redo all the work by hiring extra staff instead of trying to recover the data. ( fortunately they only lost 6 months of data)

            • Zachary on 17/10/2020 - 18:46

              @amazonaddict: hahaha ….so much for getting them to restore their data….

  • StalkingIbis on 26/09/2020 - 18:24

    my $14 cashback expired because I didnt have enough to withdraw and hadn't used it for a year. Sheesh.

  • moneyhungry on 26/09/2020 - 18:42

    Cashrewards must be loving this.

    • PinzVidz on 26/09/2020 - 19:03
      +2

      @TightArse watching this thread with popcorn in hand.

      • FrugalNotStingy on 26/09/2020 - 19:29
        +1

        Nah, TA is a cool guy.

        • [Deactivated] on 26/09/2020 - 22:44

          Yeah probably more a potato chip > popcorn kinda bloke…

    • skido on 26/09/2020 - 19:09
      +3

      ermmm TA probably has a shopback account too. I think TA would be just as worried as us

      • Yuri Lowell on 26/09/2020 - 20:22
        +2

        If anything it would make people reluctant to use any cashback site.

        • [Deactivated] on 26/09/2020 - 22:43

          Yeah I mean what about those cash back sites that pay into your Super?

    • c64 on 27/09/2020 - 10:00
      +3

      Cashrewards must be loving this

      not really, cashrewards is a similar risk. people are risking all their personal information for the sake of saving a couple of pennies. personally i don't think i will use either

      • whooah1979 on 27/09/2020 - 10:10

        Cashrewards have been known to share their customers personal data with Facebook and their partners.

    • LSGH on 27/09/2020 - 10:29
      +3

      anyone else on cashrewards too and trying to remove their bank account details in favor of paypal instead? it does not seem to let you

      • shapers on 27/09/2020 - 12:46
        +1

        Yeah i couldnt figure out how to do it. Ended up sending a support email asking them to delete it from their database for me so i can just use paypal

        • Hiphopopotamus on 27/09/2020 - 12:59
          +2

          Same, sent Friday night, this has been a good lesson of minimalising personal details on all sites. Luckily for me I had issues setting up my bank details with SB and only ever used PayPal to withdraw.

        • limucat on 27/09/2020 - 21:42

          Did they change it? I will do the same, please update thanks

          • Hiphopopotamus on 29/09/2020 - 16:40

            @limucat: I got this: 'To prevent potential fraudulent activity on our platform, we must retain your de-identified BSB and account details.'

            Not great, if SB can operate without my banking details I think they can.

            An area where SB seems superior, it let's you change/delete most information (assuming it's really gone).

            • Tink on 30/09/2020 - 02:21

              @Hiphopopotamus: Hmm, I got the same response from CR support. Not very happy about that.

              • Hiphopopotamus on 01/10/2020 - 14:28

                @Tink: I replied back and they're not budging, so I'm going to use SB for a couple of months until all of my cashback clears, close and then open a new account.

                Is irony the right word for this XD

    • Zachary on 28/09/2020 - 03:53

      …until they get hacked and then we all jump on them for it, for their …slow announcement and crappy security….

  • [Deactivated] on 26/09/2020 - 18:50
    +7

    I think the only way to apologise is a 20% amazon cashback on electronics. Id like to see those threatening to close their account resist that.

  • callum9999 on 26/09/2020 - 19:25
    +23

    Data breaches happen all the time, it's simply a reality of modern life. Its interesting how hysterical most of the posts are on here about it.

    Odds are absolutely nothing will happen (and the people saying they've received scam emails etc are most likely erroneously linking the two events), no need to start stressing out until the details of the investigation are released.

    My details have been "at risk" in many similar data breaches in the past (as, most likely, have yours) and absolutely nothing has ever happened. By all means rant and close your accounts if it makes you feel better (though that's pointless given anything information that could be stolen has already been stolen) but stop stressing out!

    • db87 on 26/09/2020 - 19:36
      +2

      I'm in the same camp of believing if "they" want it, they'll get it.

      I do however think it's more about transparency in this instance.

      You don't exactly go around handing out your information willy nilly, concerned or not. Added to the fact that SB are just providing generic responses, it kind of defeats the purpose of them even opening a thread on OzB. They should have just stuck with a banner announcement and/or the email they already sent out, given they aren't responding here appropriately anyway.

      I doubt you don't (entirely) care. If someone said, hey, can we have your information for $xyz profit with no return, I can guarentee you wouldn't be too happy about it. I daresay that's where the majority of people share their concern.

      • callum9999 on 26/09/2020 - 23:07
        +1

        I've already explained that… Look up the aftermath of ANY data breach and you'll just see generic responses while the investigation is ongoing. These investigations often take teams of security specialists weeks to figure out what happened - it's not remotely surprising that they don't have the information that you want to hear yet (and it's far more preferable than them lying and saying it's all fine!).

        Doubt all you want, I genuinely do not care. I don't have the slightest idea what your example is meant to mean? If you're trying to say I wouldn't deliberately try to expose my information for profit then yes, you're correct.

    • lbft on 26/09/2020 - 19:37
      +8

      Data breaches happen all the time, it's simply a reality of modern life.

      The fact that negligence is all too common doesn't mean I have to accept it happily.

      IT security is atrociously ignored in far, far too many organisations and nothing will change as long as there are no real consequences.

      • callum9999 on 26/09/2020 - 23:02
        +4

        I don't recall saying you have to accept this happily? I said it's being blown well out of proportion - it's absurd that multiple people are genuinely scared about what's going to happen to them, and the echo chamber encouraging that fear needs to be corrected.

        I must admit I don't follow the outcomes of these investigations very closely, but do they not get large fines if found to be negligent? Hardly seems like no consequences.

        • takutox on 27/09/2020 - 00:43

          It's got nothing to do with the data breach and everything to do with how the data breach is being handled. It looks like they have access to all of our passwords based on the communication.

          It looks like they have "encrypted" (their words) passwords using a hashing algorithm. The freaking rep doesn't even know the difference between encryption and hashing.

          Also, nice try Shopback IT department.

          I doubt anyone is really scared. I would only agree with you that the direct debit issue is being overblown.

          Also, for people who use the same passwords across multiple sites they have 100% reason to be worried. I don't want to hear this victim blaming bullsh*t. Stop defending this trash ass company who are downplaying what data actually got stolen.

          From their communication you can be reasonably sure that the db of passwords has been stolen and way more secure hashing algorithms on big companies have been cracked.

          Change all your passwords that you use the same for, set up 2FA if you haven't already. And don't listen to this big company marketing BS apologist.

          They have our f@$&! emails and full names and bank acc details, how the F would spam mails NOT be related to the leak? We will never be 'sure' that spam email 93151935 is related to this specific leak, but what we can be sure of is that this is the result when data breaches happen. It is also the main reason data breaches happen - i.e. to sell your data so you can be spammed/phished. The company trying to downplay and saying 'nah, they haven't used any of your details' is disgusting.

          Yes, we have all been to haveibeenpwned and are aware there are leaks on a regular basis. This communication is just absolutely taking the piss though. Don't support a company who doesn't support you. You can't even close your f!#^!#^ account after asking them!! There isn't even a customer wide 'reset your password' that I've gotten for the last x breaches. This company is definitely taking the piss. Shame on you for defending them.

          • callum9999 on 29/09/2020 - 22:08
            +1

            @takutox: And as I keep saying, they're handling it just like any other company does.

            Well it's hardly surprising that the social media rep isn't fully versed in how password encryption works…

            If I worked for the IT department, I wouldn't waste my time talking to hysterical armchair experts online… If I was working for the PR department on the otherhand…

            Doubt all you like, if you bothered to read the nonsense being posted on here then you'd clearly see people ARE scared. At least one person is even trying to change their phone number because they're so paranoid about this.

            Hardly. There's reason to go and change all your passwords yes (and not have the same one everywhere…), but to be "scared"!?

            That last section confirms it - you seem like a hysterical, crazy person! This is genuinely the response I expect from retried and computer illiterate people.

            The reason the spam is unlikely to be linked is because it takes time to do. If you bothered to take notice of what happened in the hundreds of other large data breaches, you'll see the details are virtually never immediately used by scammers. If the data is gone then you're absolutely right - it will be incoming. But the odds of it happening right now are minimal - hence a handful of people receiving some is proof of nothing.

            You're also obsessed with the fact that they aren't specifically stating what information has gone thinking it's a bizarre, incomprehensible cover up (why on Earth would they want to drag this out?). Security companies aren't cheap - if they already knew what happened then they would not be spending (at least) tens of thousands of dollars trying to work it out.

            I wouldn't say I'm defending them as much as correcting the insane nonsense being spouted on this thread. It will be very interesting to see the results of the investigation to find out how much of this hysteria can be retroactively justified. Though I don't doubt if it turns out it wasn't that bad, you'd just claim it's a cover-up and not believe anything!

        • Clear on 27/09/2020 - 06:50
          +3

          I don't recall saying you have to accept this happily?

          Having your own words twisted is the only way someone can debate here. English is hard it seems.

    • theg00s3 on 27/09/2020 - 22:13
      -2

      Yeah there's a lot of fear mongering in the thread. I've had my details leaked far too many times to count, and absolutely nothing of mine has been comprised due to it

  • whooah1979 on 26/09/2020 - 19:41

    https://www.ozbargain.com.au/node/532783

    Just checked mine,
    This is a summary of the 1,680 apps and websites that have shared your activity.

  • FrugalNotStingy on 26/09/2020 - 19:47

    I spent a good couple of hours this afternoon changing my email address from sites I registered using the same email I used on SB. Seriously considering changing my mobile number but it’s a number I have for years.

    • callum9999 on 26/09/2020 - 23:10
      +9

      Well that was a complete waste of your time, as would changing your phone number.

      I'm still astounded that so many people are panicking about this! What on earth do you think is going to happen?

  • petry on 26/09/2020 - 19:53
    -2

    'and nothing will change as long as there are no real consequences' - ie billion dollar fines.

    why would a yank banana republic impose fines for covering up massive data collection?

    Never going to happen - now get back on your phone and re-enter those new details - people are waiting.

  • iSamurai on 26/09/2020 - 20:10
    +1

    I'm getting multiple whatsapp login attempts with my phone number today.

    2x by text and 1x by phone 2FA attempts

    I also got a call from the "bank" yesterday but it seems like they spoofed a real bank's number. I don't have an account with them.

    This is concerning

    I wonder how long it will take for this to settle… when the data becomes "stale" and the hackers move onto newer hacked data so we don't get bombarded with spam calls and texts.

  • CyberMurning on 26/09/2020 - 20:32
    +5

    Once you are on internet no such thing as privacy. Even owning an email address has the same risk as watching porn.

    Chill everyone…. This is reality. Can happen tomorrow with ato.gov.au

  • duluxe2000 on 26/09/2020 - 20:38
    -3

    You already sold your data to Shopback/Cashback/etc.. and various websites for like 2$ (yes that's how much its worth to you) lol.

  • watwatwat on 26/09/2020 - 21:25
    +4

    "To date, we have no reason to believe that any of your personal data has been misused" - what a stupid PR response and misleading people to the seriousness of this (and thus preventing people from reacting and potentially taking actions to protect other accounts appropriately).

    This is like saying that a bank was robbed and all the money was stolen but they have no indication that the robbers have spent any of the money yet.

    Besides, this thread implies a lot of people are victims already of stolen data usage and shopback are not notifying anyone of this.

    minimize the risk of a similar incident occurring again in the future.

    Uh, how about you dedicate some more resources and increase communication for the current disaster you are in.

    And besides, if they sent an email last night saying they have no reason to believe data has been misused, why haven't they sent a follow up email earlier today suggesting that there has been A LOT OF MISUSE of data. aka. this thread.

    Also I see they posted in this thread that the following data is at risk and they conveniently forgot to leave this out of the customer email:

    Types of data that you may have provided to us could include your:

    Name
    Contact information
    Gender
    Date of birth
    Bank account numbers (for customers who withdraw to their bank accounts)

    • petry on 26/09/2020 - 21:53

      no credit card information at all then?

      • nadan on 26/09/2020 - 22:36

        Credit card info is actually not that important, since it is backed by the bank and they will get their money back. But you will never get your details back. It will circulate in various dodgy companies databases forever.

        • [Deactivated] on 26/09/2020 - 22:47

          Errr not entirely correct. Depends where your cc was issued. Asia and Middle East issued cards do not have this protection.

          • nadan on 26/09/2020 - 22:54
            -1

            @[Deactivated]: I didn't know that Asia and Middle East use shopback?

            • [Deactivated] on 26/09/2020 - 23:05

              @nadan: I never said that. There’s plenty of people in Australia with overseas issued cards….

            • callum9999 on 26/09/2020 - 23:15
              +1

              @nadan: You do know it's a Singaporean company? They have many users across Asia.

    • callum9999 on 26/09/2020 - 23:14
      -3

      Your analogy is plain wrong…

      To make it accurate, it's like a bank saying that they don't have evidence of money being stolen because there were no witnesses/CCTV and they haven't yet been able to get into the vault.

      I don't know if you have any idea how IT systems operate, but it's not at all unusual for one part of a system to be breached while other parts - such as areas storing customer information - remain intact.

      • watwatwat on 27/09/2020 - 00:02
        +4

        To make it accurate, it's like a bank saying that they don't have evidence of money being stolen because there were no witnesses/CCTV

        Ok, I'll slightly modify it. It's more like: there is CCTV showing the robbers going in to the vault and they are confirmed to be standing over the cash and they were in this room for quite some time and then made a smooth getaway. But it is unclear if they definitely took the money, despite reports from random bystanders a day later that they could see suspicious random people in street markets nearby making unusual purchases with large sums of cash (aka this thread).

        it's not at all unusual for one part of a system to be breached while other parts - such as areas storing customer information - remain intact.

        Wat? Shopback specifically confirmed that there was "an incident involving unauthorised access to our systems which contained our customers’ personal data.".

        I don't know if you have any idea how IT systems operate

        PM me and we can flex our IT salaries on each other.

        • Zachary on 28/09/2020 - 04:02
          +2

          PM me and we can flex our IT salaries on each other.

          No no, I wanna hear this….for my entertainment purposes….

        • callum9999 on 29/09/2020 - 21:49
          -1

          You are genuinely clueless about data breaches if you think it's remotely likely that the reports on here are directly linked to this incident…

      • takutox on 27/09/2020 - 04:52
        +1

        To make it accurate, it's like a bank saying that they don't have evidence of money being stolen because there were no witnesses/CCTV and they haven't yet been able to get into the vault.

        What in the flipping F are you on about LOL!!

        They got into the vault and took everything, there are witnesses/CCTV and it was confirmed.

        I don't know if you have a single clue how IT systems operate, but customer data is stored in the same DB as customer data. The customer data DB was breached, not just a subset of it, the ENTIRE db of customer data including "encrypted using a hash" passwords (lul).

        • callum9999 on 29/09/2020 - 21:52
          -1

          They've very clearly stated that they don't know what data was accessed yet… Rather obviously, if everything was just dumped in one place with unfettered access then they would immediately know that all the data was accessed…

  • rotsies on 26/09/2020 - 22:42

    OMG my name, DOB, BSB ACC info all gone …

  • Ash-Say on 26/09/2020 - 22:42
    +1

    Since this afternoon, I have been drafting a formal email to seek their position on this matter.

    If someone feels like using this template, feel free to PM me.

    • [Deactivated] on 26/09/2020 - 22:48
      -1

      I’d rather Deputy PM you.

    • domo653q on 26/09/2020 - 23:07
      +3

      Comment your result when they have emailed back

      • Ash-Say on 26/09/2020 - 23:23
        +4

        Yes I will keep everyone updated.

  • nadan on 26/09/2020 - 22:43
    +2

    Data breaches are fairly common and you may not hear about them because you either don't have any dealings with them or they don't report it.
    This incident just shows that greed and complacency can bring a lot of pain and have long-term negative impact on businesses. However despite all this the management ignore to invest in the proper IT tech and operators which is the backbone of their businesses.

    • Zachary on 28/09/2020 - 04:04
      +1

      However despite all this the management ignore to invest in the proper IT tech and operators which is the backbone of their businesses.

      Or maybe they did but the people who inspected it wasn't thorough enough?

  • wog_ta on 26/09/2020 - 23:05
    +8

    To date, we have no reason to believe that any of your personal data has been misused, however the possibility still exists.

    For the uninformed this means that they have no clue how long their systems have been compromised or what volume of data was exposed. It is very likely hackers have all your information.

    • Zachary on 28/09/2020 - 04:05

      In plain english:

  • FireRunner on 26/09/2020 - 23:12

    Luckily I only had my email and mobile number, though they could figure out my name from my email. I guess I can expect some spam

    • SgtBatten on 28/09/2020 - 08:05

      Same, seems i signed up and never used it. silly me

  • Ash-Say on 26/09/2020 - 23:35
    +5

    FAQs suggest that they were aware of unauthorised access since 17th September 2020. This falls under the Notifiable Data Breaches scheme in Part IIIC of the Privacy Act 1988.

    I hope OAIC smashes them for taking 9 days to notify the customers…

    • petry on 27/09/2020 - 15:25
      +2

      only 9 days - think of covid - think of the hundreds of amendments made to a raft of consumer protections with no end date ever mentioned…

  • Wiser on 27/09/2020 - 00:23
    +7

    I always had bad experience from this Mob. Always need to chase them.
    Now data breach.

  • sauce2k on 27/09/2020 - 03:40
    -2

    That's fked I just checked my sms I got an alert for suspicious activity on my bank card but its a phishing site. Wtf shop back

  • takutox on 27/09/2020 - 06:16
    +8

    By the way OzB - it is not hard to decrypt the encryption of your passwords, hundreds of websites have had their entire database of passwords decrypted. Change any passwords that are the same as your ShopBack password, and consider 2FA again on important websites if you haven't.

    ShopBack is lying and downplaying how much info the hackers have and are using weasel language to make it seem like everything is well and good. Unlike breaches with other companies, they have not suggested or forced any password change to their customer base and are taking us for fools. "passwords are encrypted" is not a good reason not to carry out a forced global password reset, as you may know if you are familiar with previous breaches. It may not make a difference to the perpetrator because they already have taken the data, but it will when your info gets sold and leaked.

    You will probably notice sign in attempts on any accounts on other websites using the same email and password in the near future.

    It is guaranteed you will have your info sold and you will have increased phishing emails. They will have your full real name from your linked bank account, and may choose to use this info at any point in the future.

    This thread does not exist as a means to notify you and keep you in the loop (notification to customers was late by a week and at 10:06pm on a Friday night) - but a marketing / PR control designed to fool you.

    In the meantime they will weasel
    - they aren't 100% sure what data has been stolen (which they will never be - but what you can be 100% sure of is that the person with unauthorised access had the potential to steal the entire customer base of data)
    - your password is encrypted (does not matter, dozens of large websites with better security have had their entire database decrypted or at least a majority of passwords using cross checking / brute force of common passwords). also, the fact that they say 'encrypted' and not 'hashed' is extremely suspect, not that even hashes with salts are immune to being cracked, especially md5 and sha-1, and especially if you use a simple password like hunter8
    - the security of your account is of utmost importance to us (which it is not, there is no notice on their website, they noticed us all late and at 10:06pm on Friday, and did not do a forced global password reset as to fly under the radar)
    - we do not store your credit card info (wtf, the site doesn't even use credit cards lul - you click through the portal - this is just there to take away from the fact they probably stole 8 other pieces of your info). thats like saying your pets name is safe on wedontownpets.com

    And yes, I am 100% aware of haveibeenpwned and leaks of data being commonplace, but this is one of the worst responses I've seen to a data breach with how they're telling people who are not as familiar with data breaches lies such as "your password is safe because its encrypted" or "we are not aware that anyone used your data maliciously". In fact they'd be doing less damage if they just didn't comment at all on it with all the downplaying.

    Take the Dropbox password leak back in 2012 as an example. Really strong, long and unique passwords got cracked despite using bcrypt (with salt) and sha-1 hashing.

    • McFly on 27/09/2020 - 14:31
      +1

      You will probably notice sign in attempts on any accounts on other websites using the same email and password in the near future.

      That's why it's good to use different e-mail addresses for each site.

      • Zachary on 28/09/2020 - 04:13

        That's why it's good to use different e-mail addresses for each site.

        Until you meet a site that bans a specific email domain…like the common yahoo, aol, gmail, and hotmail ones….and or ban disposable ones….so you cant even use them either, save for your REAL address….

        • mctubster on 28/09/2020 - 19:45

          It's simple - you register your own domain. I have almost a thousand on my domain. One for each site

          • Zachary on 02/10/2020 - 19:14

            @mctubster: That's…gonna drive your costs up doing up each domain for each site…..

    • Fobsessive on 27/09/2020 - 17:37

      The company doesn't "gotyourback" at all :/

      • payton on 27/09/2020 - 17:38
        +2

        The company gotyouhacked

  • avoidfullprice on 27/09/2020 - 08:17
    -2

    No one: I'll never sign up to anything that will give me free* money!

    Absolutely no one: I love paying $12 monthly account fee for no interest credit card because it is a deal* on ozbargain!

    Not a single soul on Australia: our NBN is world class, if you rank our average speed between 3-4am AEST.

    What are we hating Shopback for actually? There are more than one avenue we lose our personal information each day. I think marketplace which asks for your DOB to buy everyday shit is worse criminal than a commission based company sharing their cut with us.

    For all we know, and I'm not saying is true, that they been hacked by their competitors so shopback can't float any planned IPO to raise capital anytime soon. Imagine it was CR who emailed us about data breach instead.

    • skido on 27/09/2020 - 09:43
      +7

      Shopback collects information on: full name, gender, email, phone number, dob, bank details and shopping history. That's a heck lot of information all in one site. All of this data is potentially in the hands of the hacker. If you have sites that store credit cards like eBay and Amazon with the same email and password, they could find out your address and potentially make purchases in your account. It's much more than that.

      I think the main reason for this hate is due to the downplaying by SB. Their PR response is so misleading and inaccurate. They said "a few days ago" (when actually they were aware of it over a week ago on the 17th) and "we have no reason to believe your data has been misused" to try and fool us that its not really serious. Lack of transparency is the real issue here.

      Honestly the response is so shocking I can't believe they approved it. Imagine if SB's employees were a victim of another company's data breach and a similar worded email was sent, basically saying "we got hacked like ages ago but there's nothing to worry about and you may wish to change your password." Pretty sure they'd be pissed as well.. zero sense of urgency, full sense of carelessness.

      • avoidfullprice on 27/09/2020 - 10:15
        -3

        So if they forcefully reset our password, like when PSN was hacked last time, that will lower the community anger?

        Maybe their first action is to shut down all services, email us and then reopen services after they finish investigation. But people still want to know answer like yesterday. Then they will still cope from people who has tracking issues from promotions etc.

        Rarely company doesn't downplay an issue. I reckon if our data has been compromised, their employees would have been too and they hold more compulsory information about their employees such as TFN, residential address, driver licence details etc.

        Investors should be glad SB is not floated. If this happens to CR after they have floated, oh boy do you think they will tell people on day of detection?

        • takutox on 27/09/2020 - 12:57
          +2

          Just because x company is scum, doesn't mean y company can be scum and we should accept it because x they did the same thing. What kind of logic is that mate lmao.

          I've seen password reset forced and in most cases highly recommended for the last few breaches. This is the ONLY company that has said "nah it's fine, you don't need to do anything, everything is safe noone has used your data that we know of". Even silence is better than the lie.

          Also, you guys seem to think the security practices of a company have NO correlation with whether they get hacked or the extent to which they get breached and they have no responsibility because "it happens to everyone". This is far from the truth and an insult to cyber security experts who do build secure systems. It doesn't matter how big the company is, doesn't mean their security is good, another fallacy that somehow the largeness and financial success in the market means they are more secure.

          Also, is everyone ignoring that the hackers got the entire db of passwords? It looks like the ShopBack weasel language has worked, the real issue is that our passwords have been stolen and they act like they haven't. Other big companies have been honest about the leak, especially if it's a password leak, so you can't speak for all of them.

        • PopCounty on 27/09/2020 - 16:55

          Guess you forgot to add tag ‘associated’. Exactly this is what it feels when reading ur comments.

      • Heaps for Cheaps on 27/09/2020 - 14:04

        Good points. Adding to that, the reason they got hacked is because the number 1 priority wasn't customer security or they wouldn't ask for all that information, it was pure greed.

        They didn't take security seriosuly and they don't need to in the future as they don't believe hackers will misuse the information.

  • [Deactivated] on 27/09/2020 - 09:38
    +3

    Doesn't plenty of competitions ask for these details? Anyways just checked my shopback, the only thing they have are my bank account details and email.

  • OzBoganYeah on 27/09/2020 - 09:39

    I want to delete my account by I have $9.83 in my account and there's a $10 minimum withdrawal limit. Kind of on the fence but it's only <$10. Wish we could delete account from app

  • Shiny Mew on 27/09/2020 - 12:53

    Would hackers potentially have the expiry date and CVC number? I can't remember if I had to enter those details with Shopback.

Login or Join to leave a comment
Login Join