ShopBack Data Breach

13 Nov 2020 (Update)

Several hours ago, we became aware that a party has made available online our customers’ data, which was taken during the unauthorised access to our systems back in September.

We are acutely aware that this may cause you further inconvenience and are deeply sorry for this. As mentioned in our previous communications to customers, your cashback is safe, and your passwords are hashed with a unique and dynamic salt. This data does not contain any credit card details, and ShopBack does not store your 16-digit card number or CVV on any of our systems.

We want to reassure you that we have further enhanced our security measures since September; taking the following steps:

  1. We have verified the removal of unauthorised access and ensured that our systems are now in line with intended configurations.
  2. We have further improved the storage of our unique salted passwords by encrypting using a separately stored 'pepper'.
  3. We have partnered with Crowdstrike, a world-class endpoint security and threat intelligence platform, to monitor for suspicious activity across all our systems.

In the coming days as a precautionary measure, we will be triggering a forced logout and password reset of customers’ ShopBack accounts.

We have also rolled out a self deletion feature on our site to give our customers the ability to delete their accounts quickly and easily themselves without the need to contact ShopBack. See this how to link to self delete your account. We can also continue to assist customers with deleting an account if this is their preference.

Meanwhile, our investigation is still ongoing and we continue to cooperate with the Office of the Australian Information Commissioner.

We thank you for your continued support and we will continue to release further updates. Please reach out to [email protected] if we can help out at all.


26 Sep 2020

Hi guys,

We know the trust you place in us to safeguard your personal information which is why we’re proactively writing this up. A few days ago, we became aware of an incident involving unauthorised access to our systems which contained our customers’ personal data. We are currently confirming which data has been compromised.

As soon as we became aware of the issue, the unauthorised access was removed. We immediately initiated an investigation and engaged leading cyber security specialists to assess the extent of the incident and to further enhance our security measures. We are also collaborating with relevant authorities.

To date, we have no reason to believe that any of your personal data has been misused, however the possibility still exists. What we can assure you of is that your cashback is safe, we do not collect credit card details, and your ShopBack account password is protected by encryption.

You may continue to access your ShopBack account and use our services as business operations have not been affected by the incident.

We understand that this incident might raise some questions for you, and in this regard, we have established a dedicated email address, [email protected], if you would like to contact us. Please also refer to the customer FAQ on our website which has further details.

While your password is encrypted, you may wish to change your ShopBack account password, and we suggest that you do not use the same password on other digital platforms.

We recognise that this is unsettling news and we are deeply sorry for any inconvenience this might cause you. The security and privacy of our customers is of utmost importance to us, and we commit to taking all the steps we can to minimize the risk of a similar incident occurring again in the future.

Thank you
Team ShopBack


FAQs In This Post

How do I close my account?
See this 'How To' link.

How long will it take to close/delete/deactivate? Can I recover my account?
It will take us up to 48 hours to close/deactivate/delete your account after receiving your request. We will not be able to reinstate/restore or retrieve any information (this includes cashbacks associated with the account).

Can I still get my cashback after closing my account? What about pending cashbacks?
In order to ensure that you receive your cashback, you will need to request for a cashout and confirm that you have received it before submitting a request to close/delete/deactivate your account. Cashbacks that have not been confirmed will not be able to be processed. You will not be able to cashout pending cashbacks after they become confirmed as we will not be able to track and link them to you once we have deleted all your information.

I'm not receiving the password reset emails
Our systems are processing the requests and the emails will get to users soon (update: email services have been restored and functioning normally). Alternatively, you can also reset your password by clicking on "Update Password" under https://app.shopback.com/account.

Related Stores

ShopBack AU
ShopBack AU
Marketplace

Comments

    • +1 vote

      Probably not. Cashback withdrawal is only via direct deposit into bank account or PayPal, so I'm not sure I can see any reason for you to have given your debit/credit card details directly to ShopBack.

    • +1 vote

      What expiry date and CVC number? There is no input field to provide credit/debit card number on SB.

  • -3 votes

    I got spam sms today on the phone number I had supplied to shopback.

    • +1 vote

      The nice ATO pre recorded message SCAM rang me today from a 02 number .
      Can I call on the Scammer's please have some brains to at least call during biz hrs .

      • +1 vote

        I have had 3 if these after this hack.

    • +11 votes

      People get spam SMSs all the time…

    • +5 votes

      People need to read a book called 'Factfullness'.

      In a nutshell, just because something happened, does not automatically imply it is related to something else.

      Especially in smaller numbers and anecdotal accounts.

      If you collected all the data from every shopback user, and compared that with an equal number of people in the Australian population, and compared the results of 'spam' SMS, you would most likely get the same % of people receiving spam SMS, although, the shopback ones would be slightly higher as shopback customers would probably spend more time online and shopping online meaning at some point in time you would have willingly given out your phone number for a coupon.

      People need to relax.

      I don't want to concern people, but real identity scammers simply go to your rubbish bin and take out your bank statements and bills, just FYI.

      •  

        but real identity scammers simply go to your rubbish bin and take out your bank statements and bills, just FYI.

        Who chucks bills and bank statements in the rubbish bin?

        •  

          Who gets bank statements in the mail anymore ;)

        •  

          Who chucks bills and bank statements in the rubbish bin?

          You can buy their details on the dark web if you're genuinely interested. 🤣

          Sadly, identities are worth LOTS more than credit card details these days. And some people effectively give away their detail by dropping stuff like rates notices, bank statements, empty prescription medication packing etc into their rubbish or recycling.

  • +2 votes

    Still waiting for payouts from then that never seen to come. I'll stick to cash rewards.

    • +1 vote

      In the past I've cashed out via PayPal and received the payout in a few hours

  • +3 votes

    I'm waiting for the spam to be allegedly based on the shopback data that fell out of their back pocket accidentally even though they don't have my details…now that'll be interesting

  • +4 votes

    36 hours, Suneeta from their Malaysia-based customer service team confirmed my account and personal information had been flushed from their system.

    5mins ago an SMS, with "Shopback" in the header, arrived as follows:

    "This number is no longer associated with the linked Shopback account. If you own a Shopback account and didn't made this change, please contact customer service"

    What?

    I have emailed them for an explanation which I'll share here if they respond.

    • +1 vote

      Same here

    •  

      Their response was as follows. And remember, the SMS was sent ~24 hours AFTER the same person confirmed in writing "…your ShopBack account along with all of your information has been successfully deleted…"

      ===

      Thanks for your email.

      We may send customers an SMS during the process of an account deletion, there is no action required from your side.

      Hope this helps,

      •  

        Which means they still got your mobile number and account ID on record?

        •  

          That's the conclusion I reached.

          At a bare minimum, they had retained the mobile number associated with my ShopBank account at least 24hrs after "all" of my information had been "successfully deleted". 🙄

          • +1 vote

            @OzDJ_: Hope they would do a bulk delete of closed accounts records at some point but not just deactivate the accounts.

            • +1 vote

              @FrugalNotStingy: Chapter 11 of the Australian Privacy Principles (APP) is pretty clear on this.

              APP 11, in a nutshell, is that an entity "….must take reasonable steps to protect personal information it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure. An entity has obligations to destroy or de-identify personal information in certain circumstances…"

              •  

                @OzDJ_: But are there any legal ramifications for the entity if they violated this clause?

                •  

                  @FrugalNotStingy: IANAL but the Privacy Act empowers the OAIC with Civil Penalty provisions. The catch, here, is that it has to satisfy itself (and any court) of the "…serious or repeated interference with privacy…" hurdle.

                  Fines can be up to 2,000 penalty units (ie 2,000 * $222 = $444,000)

                  Of course, with the 1% rebate with Amazon Australia, ShopBack would just need to buy $4.4m worth of video games and they could cover such a fine.

                  •  

                    @OzDJ_: Not sure how an entity would get caught on repeated offences if not dobbed in by its employee(s).

                    But Amazon no longer recognise video games purchases from SB users!
                    Video games is no longer in the cashback category!!

  •  

    Any data breach is typically a result of insufficient cyber security controls or awareness by staff. However, the information potentially leaked in the SB data breach pales in comparison to the Scouts Victoria data breach.

  •  

    I did not receive this email. I checked my Gmail history and spam folder for the account associated with shopback. I wonder why?
    Edit: found the email. My mail is autoforwarded, needed to check the spam folder in the original email.

  •  

    Bright side… If the company does not go under, the deals will be much better since they need tog et the users back.

    Hackers might have my email, phone number, bank account details… Wish I did link paypal wallet instead

    •  

      In addition, many of the cancelled accounts will have money outstanding and they can use this to win users back.

  •  

    Why am I being told about this from Ozbargain?

    I have not received an email, the app has not sent me a push notification, there is no notification in the app and my password has not been reset.

    • +1 vote

      have you maybe changed the email address you used when you signed up?
      I got an email late on Friday night, and have requested they delete my account

  • +1 vote

    A few days ago, we became aware of an incident involving unauthorised access to our systems which contained our customers’ personal data. We are currently confirming which data has been compromised.

    So how did you guys find out? I would like some details… Your FAQ doesn't explain the finer details of how you found out…

    •  

      email on friday night

      •  

        I think Zach is asking how the ShopBack team first found out that their systems had been compromised, not how users found out

        •  

          Yeah, what you said…

    •  

      …still waiting for that answer….

  • +1 vote

    Dang! I just watched this video on youtube by James Jani - data Brokers. Now I know whats gonna happen to my info and stuff.

    • +14 votes

      What does your wife getting scammed on Facebook have to do with the Shopback data breach?

        • +12 votes

          I don't think it's likely that they're related. Tell your wife to be more careful in future

  • +2 votes

    Random calls this morning from (08) trying to pass off as being amazon (don't have an amazon account). So it begins….

  •  

    Request sent to deactivate, be interesting to see how long it takes
    Anyone else close their accounts?

    •  

      this is the email address to send deactivation to [email protected]

    •  

      Too late brah.

      •  

        why is it too late?

        •  

          better late than never

        •  

          Haxxorz haz ur detailz already.

    • +8 votes

      Do not request deactivation

      Instead, request:

      Deletion of my account, including redaction or deletion of any personal information held by ShopBack in electronic or hardcopy form

      •  

        Thanks will copy this!

  • +5 votes

    SOMEBODY tried logging into my Prawnhub premium Brazilian account!

    • +1 vote

      Sharing is caring? ;)

    •  

      Looks like you got the raw prawn.

    • +1 vote

      Sorry about that. Was looking for my step sister

      •  

        That's what biggies do.

  • +1 vote

    Might not be related but Just received a missed call on mobile from a number not in my contacts.

    Called back and it say’this number has been disconnected’

    I am shutting down SB. Just received my money I withdrew from them today

    • +1 vote

      Yeah, I've had the same thing this week.

      Plus a few calls from the "Department of Home Affairs".

  • +23 votes

    Big deal, At least they were upfront about it, theres probably 5 sets of data on you by companies who never realised or hid the breach.

  • +57 votes

    Just got a call from my ex wife. I blame the SB breach. Also getting a burning sensation when I pee. That's definitely the hackers.

    •  

      Tell us more about your ex wife…

      • +4 votes

        I don't have one…. the plot thickens …. definitely an SB conspiracy!!

        •  

          Now, tell us more about the burning sensation. Did you not drink enough water?

  •  

    I got a call tonight from an online trading company saying I'd been 'referred' to them and asking how much I knew about online trading. Never had a call like this before. Told them very cheerfully I knew nothing about online trading and was completely not interested in learning about it. They hung up on me! But I'm a bit worried it's related to the Shopback breach. I don't usually get unsolicited calls except the odd charity.

    •  

      I got these calls like 2-3 months ago… and have also been receiving some stupid malaysian financial sign up offers, I am 100% certain this breach is earlier than September…

      •  

        Or…you know…its just people cold calling.. or even using your info from other sites/breaches.

        Hate to break it to you, but websites having a data breach is inevitable and as soon as you start frequenting sites online+making accounts, your data is going to spread like wildfire.

  • +13 votes

    Jesus christ this thread has stirred up the paranoid ones.

    • +5 votes

      But I got a missed call from a blocked number in January!!
      IT HAS TO BE SHOPBACK RIGHT?!
      /s

    • -1 vote

      True. If people that much paranoid, they shd not use cash back sites at 1st place. Dont get the whole stir about it and issues people getting SMS after deleting.

  •  

    I got some kind of tax avoidance robo-call last night. Haha

    Damn it, they're on to me!

    Blocked and reported. Not much else you can do. shrugs

    • +4 votes

      Same here. I got a letter from the ATO asking me to back pay taxes. I'm going to assume it's from Shopback and ignore it.

      • +1 vote

        Haha name checks out??

        This definitely sounded sus and I think fair to assume the most recent mandorin robocalls and now this would be linked to the breach. I hadn't had such calls for a verrrrrrrry long time prior.

  •  

    From my understanding the biggest risk from the data breach would be likely to be from credential stuffing. So if you have used the same email/password combo for ShopBack on other online sites you really should be updating all the passwords on these other sites.

  • +5 votes

    Anyone start getting a lot of targeted phishing attacks? I am getting a ton more of emails than usual, and they are ending up in my inbox, phishing using the likes of Netflix, Spotify, PayPal etc and also getting daily phone calls from Australia mobile numbers with recorded message about there being a warrant for my arrest, unpaid taxes blah blah. They aren't even hiding their number. I just got one from 0436 xxx xxx (mod: masked number). Will these be real numbers or some kind of spoofed number of a real person. Who do i report these numbers to? I have 2 more from last two days.

    •  

      That one! I got the tax one yesterday. Haha

      Good chuckle, hung up, blocked and reported it.

      Not much we can do but the above and move on.

      That or go through the laborious task of getting new numbers and bank accounts. Hah, no thanks.

      Strangely enough, I haven't received any increase in spam or phishing emails so the tax one could very well be just a "that time of the year" attack. Mine came from 0400xxxxx6 (mod: masked number).

    •  

      Same here. Just received another robot message with Alexa's voice from 0447 xxx xxx (mod: masked number). Based on google, it's actually a legit business number in QLD.

    •  

      Many people only had one data breach, including me.
      This is the only one.
      And yes, I have started receiving a lot of robocalls these few days.

      • +5 votes

        LMFAO if you genuinely think its the only time your info has been in a data breach, you are in for a rude awakening.

      • +1 vote

        I haven't had a single call or spam from email as a result form this incident nor has my friends or family.

        There are data breaches that you may not be aware of as most are hidden or not discovered.
        If you've ever signed up for any membership deals or competitions your details were likely sold off as per agreement of you accepting the T&C.

        •  

          It looked like for me anyway the email spam started last night. Gmail doing a decent job so far , gone from a couple per day to one every minute or so. Glad I didn't have my ph stored.

    • +2 votes

      If people deleted their accounts on a site every time there was a breach, they would never have an account on any website ever again.

      Plenty of sites with no (known) data breaches.

      Never mind that deleting your data after the breach is like locking the door once the robbers have left with your necklace. Sure, it will stop them coming back, but they've already left with your stuff!

    • +1 vote

      I have to agree with this comment. Not all companies report data breaches and many others have a data breach and don’t know.

      •  

        People are so clueless and would rather their stupid lil paranoid conspiracy theory be correct.

        I've seen first hand people exchanging/buying and selling unreported database leaks and such on black market forums.but dont worry, jimbobs website me hade as a blog about his three chickens hasn't had a data breach, so that means data breaches aren't any many sites that have them… /s

  • +1 vote

    As soon as we became aware of the issue, the unauthorised access was removed.

    So pretty much someone logged in using username/password and you didn't expect them to have access, or access to that particular area. This is why there is no problem with passwords either.

  •  

    Anyone receive a text like the following?

    (name) You have an unsettled-transaction that requires your prompt attention. Please login to fully execute your requested total (their website link)

  •  

    Not sure if this is related but some random company/person is trying to be my wife's super advisor…..

  •  

    dunno why, not sure if this is because of SB breach data or not, but in the last few days, i receive HEAPS of misscall from 02 and 08 and 07 state

    everytime, they will call the second time within seconds if i ignore the 1st call

    has anyone experiencing the same? and some even spoof calling using a perth auto repair number

    • +1 vote

      i've been getting heaps of calls like that on one particular number i signed up with amaysim but that's been going on for months. for a while, most calls were from this charity mugger agency which i'm certain i've never signed up to. they would call at a specific time of day, and if i didn't take the call (i never say anything) they'll call back almost 3 hours later. it stopped for about a month then continued. last week, one call was from a Queensland tyre shop so maybe some people punch in the wrong number. i've only ever used that number to sign up for a kogan free trial. wouldn't surprise me if kogan was selling our data but i do get occasional spam calls on other numbers. probably some autocall software? (profanity) nuisance either way.

      the number i added to my shopback account hasn't received any calls at all so far

  • +3 votes

    So far, I've had 2 automated scam calls per day for the past three days since the breach. Thanks Shopback.
    Goodbye to chasing up missing cashback, you shall not be missed.

  • +4 votes

    NEWS: The first international regulator, JPDP in Malaysia has started an investigation into the breach.

    My bet? PDPC Singapore will be next, followed by OAIC here in Australia.

    • +1 vote

      My bet - Tick box activity.

      •  

        I can't comment for JPDP or PDPC, but I have a better-than-average understanding of the OAIC. "Tick in the box" investigations are not how OAIC operates and there's a reason OAIC Compliance (the investigations people) are regularly sought-after to work in big business and other government departments.

  •  

    Guess I can count myself lucky considering the fact that I never linked my bank account with them, or put in a DOB. That being said, having my phone number and email potentially out there to be abused sucks (though I've yet to receive spam or scam calls). Very disappointed

  •  

    I'm getting spam that never received before. Just got an SMS from a mobile number but they knew my first name. Asked me to click on a link to some web page. No thanks. I know I can't say for sure but this data breach and an sms like that, which I've never gotten before, is too much of a coincidence.

  • +4 votes

    Thanks to shopback and their great job. I received my first call from Guptas advising me of my arrest warrant by the federal Bureau of investigation.

  • +1 vote

    Just received a robocall for the first time in years

    Of course like people say it could be a massive coincidence