ShopBack Data Breach

Store Repgotyourback @ ShopBack AU on 25/09/2020 - 22:13
Last edited 25/04/2021 - 18:37 by 4 other users

13 Nov 2020 (Update)

Several hours ago, we became aware that a party has made available online our customers’ data, which was taken during the unauthorised access to our systems back in September.

We are acutely aware that this may cause you further inconvenience and are deeply sorry for this. As mentioned in our previous communications to customers, your cashback is safe, and your passwords are hashed with a unique and dynamic salt. This data does not contain any credit card details, and ShopBack does not store your 16-digit card number or CVV on any of our systems.

We want to reassure you that we have further enhanced our security measures since September; taking the following steps:

  1. We have verified the removal of unauthorised access and ensured that our systems are now in line with intended configurations.
  2. We have further improved the storage of our unique salted passwords by encrypting using a separately stored 'pepper'.
  3. We have partnered with Crowdstrike, a world-class endpoint security and threat intelligence platform, to monitor for suspicious activity across all our systems.

In the coming days as a precautionary measure, we will be triggering a forced logout and password reset of customers’ ShopBack accounts.

We have also rolled out a self deletion feature on our site to give our customers the ability to delete their accounts quickly and easily themselves without the need to contact ShopBack. See this how to link to self delete your account. We can also continue to assist customers with deleting an account if this is their preference.

Meanwhile, our investigation is still ongoing and we continue to cooperate with the Office of the Australian Information Commissioner.

We thank you for your continued support and we will continue to release further updates. Please reach out to [email protected] if we can help out at all.

26 Sep 2020

Hi guys,

We know the trust you place in us to safeguard your personal information which is why we’re proactively writing this up. A few days ago, we became aware of an incident involving unauthorised access to our systems which contained our customers’ personal data. We are currently confirming which data has been compromised.

As soon as we became aware of the issue, the unauthorised access was removed. We immediately initiated an investigation and engaged leading cyber security specialists to assess the extent of the incident and to further enhance our security measures. We are also collaborating with relevant authorities.

To date, we have no reason to believe that any of your personal data has been misused, however the possibility still exists. What we can assure you of is that your cashback is safe, we do not collect credit card details, and your ShopBack account password is protected by encryption.

You may continue to access your ShopBack account and use our services as business operations have not been affected by the incident.

We understand that this incident might raise some questions for you, and in this regard, we have established a dedicated email address, [email protected], if you would like to contact us. Please also refer to the customer FAQ on our website which has further details.

While your password is encrypted, you may wish to change your ShopBack account password, and we suggest that you do not use the same password on other digital platforms.

We recognise that this is unsettling news and we are deeply sorry for any inconvenience this might cause you. The security and privacy of our customers is of utmost importance to us, and we commit to taking all the steps we can to minimize the risk of a similar incident occurring again in the future.

Thank you
Team ShopBack

FAQs In This Post

How do I close my account?
See this 'How To' link.

How long will it take to close/delete/deactivate? Can I recover my account?
It will take us up to 48 hours to close/deactivate/delete your account after receiving your request. We will not be able to reinstate/restore or retrieve any information (this includes cashbacks associated with the account).

Can I still get my cashback after closing my account? What about pending cashbacks?
In order to ensure that you receive your cashback, you will need to request for a cashout and confirm that you have received it before submitting a request to close/delete/deactivate your account. Cashbacks that have not been confirmed will not be able to be processed. You will not be able to cashout pending cashbacks after they become confirmed as we will not be able to track and link them to you once we have deleted all your information.

I'm not receiving the password reset emails
Our systems are processing the requests and the emails will get to users soon (update: email services have been restored and functioning normally). Alternatively, you can also reset your password by clicking on "Update Password" under https://app.shopback.com/account.

General Discussion

Related Stores

ShopBack AU
ShopBack AU
Third-Party

Comments

      • [Deactivated] on 29/09/2020 - 16:54

        I can't comment for JPDP or PDPC, but I have a better-than-average understanding of the OAIC. "Tick in the box" investigations are not how OAIC operates and there's a reason OAIC Compliance (the investigations people) are regularly sought-after to work in big business and other government departments.

  • OzBarAnon on 29/09/2020 - 16:29

    Guess I can count myself lucky considering the fact that I never linked my bank account with them, or put in a DOB. That being said, having my phone number and email potentially out there to be abused sucks (though I've yet to receive spam or scam calls). Very disappointed

  • tessel on 29/09/2020 - 17:35

    I'm getting spam that never received before. Just got an SMS from a mobile number but they knew my first name. Asked me to click on a link to some web page. No thanks. I know I can't say for sure but this data breach and an sms like that, which I've never gotten before, is too much of a coincidence.

  • nadan on 29/09/2020 - 18:44
    +4

    Thanks to shopback and their great job. I received my first call from Guptas advising me of my arrest warrant by the federal Bureau of investigation.

  • takutox on 29/09/2020 - 18:52
    +1

    Just received a robocall for the first time in years

    Of course like people say it could be a massive coincidence

  • ashpete02 on 29/09/2020 - 21:05
    +1

    Yeh first scam call in years too .. none since tho… 02 number philly w/ american accent.. hungup my side.

  • CalmLemons on 29/09/2020 - 21:43
    -1

    I recommend a book called Thinking Fast and Slow.

    https://www.amazon.com.au/THINKING-FAST-SLOW-DANIEL-KAHNEMAN…

    I don't think you will get any cashback with amazon books atm however it may help significantly with the significant amounts of associative bias that may be in play here.

  • Korban Dallas on 29/09/2020 - 21:55
    +7

    +1 to all the people getting annoyed about this data breach but unaware that their accounts have also been compromised on other websites where personal information has been leaked. Check yourself:

    https://haveibeenpwned.com/
    https://haveibeenpwned.com/PwnedWebsites

    479 pwned websites
    10,196,051,455 pwned accounts
    113,765 pastes
    194,795,886 paste accounts

    • frankfu1122 on 30/09/2020 - 00:08

      this.

    • CalmLemons on 30/09/2020 - 14:12

      yeah every single one of my e-mails has been owned.

      fk. hopefully no one steals the $30 in my savings account.

      • Korban Dallas on 30/09/2020 - 14:44

        My email has been breached 17 times but luckily all my passwords are unique.

  • Harold Halfprice on 29/09/2020 - 22:44
    +1

    I've been getting several calls and texts a day this week…..

    • Korban Dallas on 29/09/2020 - 23:09
      +1

      Post the numbers and who is calling.

      • Harold Halfprice on 30/09/2020 - 00:02

        I had a missed call today and called back. Said number was disconnected.

        They've all been mobile numbers and I suspect they're spoofed.

        Very annoying due to the whole covid WFH situation, could be a client or colleague calling and I'm reluctant answering with my name to spam callers.

  • iSamurai on 30/09/2020 - 04:29

    Hs anyone gotten in a similar situation? My email was used to sign up to stockstotrade, and they sent an email to customer support with some spam in the text in German. I received the confirmation email of the support ticket hence how I found out. Strange.

  • Jimbuscus on 30/09/2020 - 06:46
    +6

    Literally 2 days after this announcement someone gained access to an old PayPal I had thought had been closed for 8+ years, added some bank account with a bank I have never used under a very similar name to me and withdrew A$5700 before PayPal stopped the account, just saw it now in emails and might have to call police to report fraud.

    Turns out that old PayPal had same email/password as ShopBack.

    • CyberMurning on 30/09/2020 - 08:07
      +2

      your old paypal got that $5700 sitting there for 8 years?

      • Jimbuscus on 30/09/2020 - 08:08

        No it was logged in and added someone else's BSB on the 18th this month, after 8 years of being unused.

        • minniethemoocher on 02/10/2020 - 16:27

          I thought PayPal made you go through a verification process where they deposit 2 small accounts into your bank account when you add a new bank account.

          • Jimbuscus on 02/10/2020 - 16:35

            @minniethemoocher: They still do that, which is the one part of the puzzle I don't have figured yet, possible they had enough info to access the other person's email and then get access to bank but that's a stretch.

            • minniethemoocher on 02/10/2020 - 20:00

              @Jimbuscus: Yes that is strange as they obviously had access to the other bank account to see the amounts. Although I can think of several possibilities why they would do this. I’m guessing that using a hacked PayPal account helps hide where the money is transferred to.

    • Korban Dallas on 30/09/2020 - 12:55

      Lol you use the same password. So bad.

  • tm32 on 30/09/2020 - 08:06

    And the email targeted spam for me has started. Fortunately I haven't had to enter much more private data so it's clear what's going on, with the observing of data so I'm now registered in bulk for many sites and a lot of unfilled orders coming my way apparently.

    Like password managers its about time to start using unique and disposable email addresses per site.

  • avoidfullprice on 30/09/2020 - 09:11
    +1

    I wonder if the scammer are targeting people on their database with same password hash, and trying to bait them entering their password on some fake website and go from there? Maybe why some people here getting spam so early.

    With the phone call, I suppose that is to capture our voice and maybe record us saying "yes" and confirm our name with phone number?

    I wish not so many website asks for date of birth.

    • tm32 on 30/09/2020 - 15:42

      By the spam context yes. All seem designed to get you to confirm or re-enter data. I hope that once this round of scripts are done it drops off at least soon.

  • moonleaf on 30/09/2020 - 11:06

    When it comes to digital information, I've never provided optional info in any e-commerce platforms only the necessary, so to receive a one-time sms code for cash withdrawal purposes always provided my partner's mobile number instead of mine and bank account that only allowed deposits. Even though I registered with my real email but so far I haven't received any targeted calls or emails or unauthorized transactions. I think they are not interested in my data and never had any issues getting my online purchases tracked and cashback from Shopback instead in the past I always had issues with Cashrewards, had to be chased up untracked online purchases and cashback with them and since Shopback came I have stopped using Cashrewards.

  • errorius on 30/09/2020 - 11:48
    +1

    In the past couple of days I received calls from these numbers:

    +6853499568 Samoa

    +355698475777 Albania

  • w37hsyea on 30/09/2020 - 12:29

    Extremely frustrating…

    Bank details, full name and date of birth are now floating on the net for people to use direct debit AND capability to destroy your family's life through identification theft.

    Great f***ing job ShopBack.

    • factor on 30/09/2020 - 15:09

      I never give bank details with a direct debit facility to people who are supposed to give me money.

      The UBank Ultra/Saver pair is great for this — the UBank Saver account number allows direct credit, but not direct debit. Only the UBank Ultra account number allows direct debit.

      • CyberMurning on 03/10/2020 - 07:17

        Your are right. Good idea.
        But for me I hesitate to give out ubank saver because it is my main account with much money on it.

        Instead, I give out ING orang everyday, yes it has direct debit but most of the time balance is $10, if I need to withdraw from ATM I will transfer from maximiser first.

        • UrMumsOnlyFan on 03/10/2020 - 13:00

          Use the Savings Maximiser instead:-

          You cannot nominate your Savings Maximiser to be used for direct debit requests or periodic direct debit deposits for accounts at any other financial institution or organisation.

    • EnALup on 30/09/2020 - 15:31

      Why will you put your DOB at a cashback site when it is not mandatory?
      Also trying to understand how can someone use bsb and account number against a person. They can only deposit money, not withdraw.

      • CyberMurning on 03/10/2020 - 07:17

        They can setup automatic direct debit

        • EnALup on 04/10/2020 - 13:41

          How? Cant do that without signature or setting it up online when logged into banking account.

  • Make it so on 30/09/2020 - 12:41
    +4

    REP, I think it is time you updated the description of this post, particularly this bit:

    To date, we have no reason to believe that any of your personal data has been misused

    By now, the telltale sign for anyone is that they received robocalls that pretend to be from the Australian Government. There is literally zero doubt that this data has been misused.

    • spaceflight on 09/10/2020 - 14:40

      By now, the telltale sign for anyone is that they received robocalls that pretend to be from the Australian Government. There is literally zero doubt that this data has been misused.

      People get those all the time, it's hard to say it is because of shopback

      • Make it so on 09/10/2020 - 18:56

        Except pretty much all people affected got the same robocalls calls from the same time.

  • Korban Dallas on 30/09/2020 - 12:57
    +3

    https://youtu.be/aHaBH4LqGsI

    • avoidfullprice on 30/09/2020 - 14:43

      This is gold. I wish I saw this BEFORE the data breach, so I could share it. BUt if I share it now, scammer will know I have a shopback account. Nooooo!

  • domo653q on 30/09/2020 - 13:49
    +1

    Has anyone received phone call Bendigo about (Toll) Parcel needing time be pickup. Don’t have any parcel comming at the moment? And don’t live in Victoria.

  • w37hsyea on 30/09/2020 - 14:31

    By the way I can confirm SB don't know what data was available at the time of the breach - as they only have the ability to cite current information.

    For example if your details have changed since the breach, they can only confirm the details that are current.

  • Jaystea on 30/09/2020 - 14:33
    +4

    Google chrome just notified me of a data breach with every single account that has the email address associated with it.

    While that email address has been pwned before - I have never had chrome tell me this before.

    I subsequently went to my iPhone's passwords which found 80 accounts assoc. with the data breach and have changed every single password using the iPhone recommended passwords. I suggest those who have similar methods of password generating softwares do the same.

    • CBrads4 on 01/10/2020 - 14:30

      Have you ever come across a website that doesn't prompt the iPhone to generate its own secure password?

      I've come across a few where the webpage formatting must've been incorrect and it can't/won't generate a new password. Just wondering if you knew of a workaround.

      • Jaystea on 01/10/2020 - 14:32

        Yea I think like one? Just make up your own bunch of letters and numbers and symbol that make no sense. And paste it into passwords to save it on your phone. That’s what I did.

  • blorx on 30/09/2020 - 15:39
    +1

    This explains all the spam then, been in overdrive.

  • EnALup on 30/09/2020 - 15:41
    +6

    Why are we beating this to death? I used to receive fraud ATO calls or spam emails before this and will continue. Linkedin, catch ( if I remember) and other companies have got data breaches in the past with leaked credit card details too along with personal. Try updating password for accounts u have same password like shopback and move on.

    Surprised people commenting every sinple spam they are getting online now.

  • pformag on 30/09/2020 - 16:36

    If you would still like to proceed, please email [email protected] using your ShopBack registered email.

    We will deactivate your account within 48 hours.

    Note: If you have a mobile number attached to your account, you will receive an SMS from ShopBack. Don't worry, you don't need to reply, this is triggered by our security process as an account is being deleted.

  • sween64 on 30/09/2020 - 16:41

    Well at the very least I have changed my bank details to be for me Citibank account which usually has a $0 balance.

    • dojomojo on 01/10/2020 - 11:48

      How will that help? The hackers already have your old account details.

      • sween64 on 01/10/2020 - 13:06

        If Cashrewards gets hacked, or if SB gets hacked again by a different mob then they’ll have the Citibank details.

  • Sammy Boi on 30/09/2020 - 18:23
    +1

    I've noticed an increase in spam emails from the same address just pounding them out

    • tm32 on 01/10/2020 - 07:59

      Same. Same email comes up other site breaches so it's always going to be a spam target. I get that.

      What is curious about this one is the targeting. I strongly suspect they got hold of the cash out amounts and have used that to prioritise the attack vectors, in an attempts to obtain password or data able to be used to takeover the target email accounts.

  • RocketSwitch on 01/10/2020 - 09:00

    It never ends, Google says my info has been compromised on 60 sites, been changing passwords for a few days, now 28 sites left… sigh

    • nmcc08 on 01/10/2020 - 11:06

      Yikes, I just received the same message.

    • Make it so on 01/10/2020 - 11:12

      Were you reusing the same password on 60 sites?

      • nmcc08 on 01/10/2020 - 11:35

        Just 11

      • RocketSwitch on 01/10/2020 - 12:04

        3 different passwords, but those site got hit too.

    • SBOB on 01/10/2020 - 13:43
      +3

      Randomly generated 20 plus character passwords from something like LastPass

      At worst, you'll only ever have to change the password at a single site if compromised

      • Korban Dallas on 01/10/2020 - 19:38

        Cat-unicorn-spud

      • hutchjnr on 12/10/2020 - 09:35

        And if the site that is compromised is LastPass, then what?

        There's one thing that stuck with me from my old MIS days -

        There is always a trade-off between convenience and security/privacy.

        For me, using a password manager for convenience (lets be honest here, that's pretty much it's main selling point) is far too big a trade-off. If that is breached then every single account attached to it is also breached.

        A good point was made on this thread by someone (sorry, don't recall who) along the lines of - If even the most secure sites have been hacked over the years, then why can't a password managers site? And it is more than likely going to be a massive target because look what the reward is! Password after password…

        I understand there is pros and cons with each approach - For me, I'll leave password managers alone for now.

        • SBOB on 12/10/2020 - 19:00
          +1

          Because
          A) you use 2fa for your LastPass account
          B) the encrypted blob is most likely massively more securely encrypted than most web sites back end security will be
          C) you only have to make and remember one secure personal password, so even if hacker got your password account blob, and hacked your second factor, they would still have to decrypt the blob using your decently secure, non 'monkey123' type password

          LastPass doesn't know your password, as the blobs are decrypted client side . You could literally upload your password blob to the open internet and assuming a password with decent fundamentals, it's unlikely to be decrypted within a timeframe you would care about.

          "LastPass encrypts information client side and has a zero-knowledge policy, so if anyone does hack into LastPass servers, they will only see encrypted information. The only way for anyone to access your sensitive data is to find out your master password"

    • AlphaSquid1604 on 01/10/2020 - 14:36

      How do you check this?

      • RocketSwitch on 01/10/2020 - 14:53
        +2

        If you use Chrome to manage your passwords, go to Settings > Passwords and click on check passwords.

  • toobzy on 01/10/2020 - 14:48

    If I had a shopback account in the past but closed it, were the hackers able to get that info? Was the info still stored on their servers after closing the account?

  • Grevhimself on 01/10/2020 - 16:30
    +1

    Yes, same bad things happening and I will just stop using these stupid cashback sites for now.

  • Anahera on 01/10/2020 - 18:38

    I am now getting so much spam in my email inbox and google chrome has notified me that my password has been compromised on 16 websites..

    • Sammy Boi on 01/10/2020 - 18:47

      Is it the same password you used for shopback?

  • OzBoganYeah on 01/10/2020 - 20:49

    Have been getting so many spam calls everyday. Countless from unknown numbers. Got a call last night (technically early morning) and thought it was an emergency (like a fire or death, etc)-nope. It was a call from unknown number at 2.43am! It woke me up and my phone was in another room so I sleepily hurried over there but they hung up.

    Couldn’t fall asleep again so I did a couple of chores, browsed YouTube, etc. way too early to get up but can’t fall back asleep since I had been asleep for a while. Getting a lot of spam emails too. Shopback rep nowhere to be seen, hmm

  • Misterpompom on 01/10/2020 - 22:38

    Shame………
    Lesson learnt. hope all those cash backs are worth the wave of spam and possible identity fraud.

    Already had numerous calls and emails.
    Fun times.

  • umoddbro on 02/10/2020 - 00:07
    +1

    This is how bad their site is….. I've tried removing personal info from my account several times but it keeps reappearing. Also contacted two reps to remove it and it's still showing.

    • Store Repgotyourback @ ShopBack AU on 02/10/2020 - 09:43

      If you haven't already yet, please send an email to our dedicated line [email protected] and the team will help you out.

      • umoddbro on 02/10/2020 - 09:51

        I've already sent an email twice, the first time your rep didn't even read my request and wanted to delete my account. The second rep said that she's removed the info but guess what its still there! Seems more like a system flaw more than anything.

        • Sammy Boi on 02/10/2020 - 10:19

          I don't think there's any point in trying to change personal data that was already there it's still going to be in the database that was breached or walked through- by an employee.

          • avoidfullprice on 02/10/2020 - 14:43

            @Sammy Boi: Does mitigate the risk that they still have unauthorised access that are undetected.

            Same risk applies to our data held in other companies.

  • sickllama on 02/10/2020 - 12:02

    My DOB and address are blank in my account. Does that mean they didn't have it and it wasn't leaked?

    • Krazyy on 02/10/2020 - 13:46

      I believe they (SB) has removed that info for future leaks etc…

      • sickllama on 02/10/2020 - 14:29

        Thanks for the reply. How annoying tho. Only lucky thing is I was using a password manager so i haven't used that password elsewhere. I still don't like people having my phone number/name/dob/banking/address details. Dangerous combo.

    • Sammy Boi on 02/10/2020 - 19:03

      Either they've cleared it or you never gave it to them in the first place

  • Preet on 02/10/2020 - 19:08

    I've been getting so much spam SMS the last few weeks. No phone calls like others have said. Here's my block list for anyone interested.

    And no I haven't signed up or given out my number for anything else coinciding with the breach.

    Although changing your number is a pain in the ass for 2FA logins, seriously contemplating it cos this is a joke

    https://files.ozbargain.com.au/upload/85783/83285/screenshot…

    https://files.ozbargain.com.au/upload/85783/83284/screenshot…

    https://files.ozbargain.com.au/upload/85783/83283/screenshot…

  • Empharand on 02/10/2020 - 19:18
    +2

    I have been getting spam calls every day over the last few days.
    I wasn't get spam calls last week so no doubt as a result of Data Breach
    Thank you ShopBack 👍

  • OzBoganYeah on 03/10/2020 - 06:34
    +1

    Shopback really f'ed up. F them! Getting so sick of all these spam sms(es?) last few days in addition to the constant stream of spam calls from unknown including foreign numbers + spam emails. Never again

    Bad word of mouth travels and they deserve every bit of it for having such inadequate security AND for taking so long to inform us-I actually didn’t get an email, I only found out by chance on OzB

  • CyberMurning on 03/10/2020 - 09:09

    So for people using password managers like last pass, you turn off google password manager, right?
    And do you use the auto generated random password supplied by the password manager? Would it be silly not to know the password yourself? Like if you need to login from your friends computer for example?

    • follow on 03/10/2020 - 09:44

      it just generates a random password. you can still see what the password is. so at your friend's, the mobile app will display your password

      • CyberMurning on 03/10/2020 - 13:23

        Thanks. I will consider this but it will takes hours to change all mine

        • follow on 03/10/2020 - 14:48
          +1

          do it a few at a time. if you set it up, whenever you login in to a new site, you change that.

  • jmc787 on 03/10/2020 - 14:00

    Did this company collect DOB and address as mandatory fields, I cannot remember if I put them in or not, they are not showing in my account now.

    • tdw on 03/10/2020 - 15:07
      +2

      they weren't mandatory.

  • ilove on 03/10/2020 - 18:04

    our names run through 100s of databases a day?

  • Serathis on 06/10/2020 - 09:57
    -1

    hmm someone just tried to hack in my uber account and uber said there's some link to shopback…. i'd change any passwords linked to SB

  • Last Seen on 06/10/2020 - 13:55
    +1

    Another automated call, this time from 0451482048
    Get stuffed shopback

  • tommypickles on 07/10/2020 - 13:41

    Used Facebook to connect, so just name, email, and unfortunately, mobile — no password saved, just token.
    Connected with Paypal, so no bank account details.
    I'm hoping my risk profile is minimal.

  • SF3 on 09/10/2020 - 10:29
    +3

    OP, what is the latest on this saga? Care to update your main post for us all?

  • messiah1095 on 09/10/2020 - 13:28
    +1

    Just got a call from someone saying they received an ATO scam call and when they tried to call back, they got my number. So looks like my number has been spoofed. Can't even get onto my telco's fraud team as apparantly their support is closed now. Great.

    • nosrad on 11/10/2020 - 18:05
      +1

      Same here!!!! Never happened before.

      • Telios on 02/11/2020 - 13:12

        Yup…

        My number is also on DNC lists and such.

        Automated ATO call, another one saying something like YOUR TAX NUMBER HAS BEEN SUSPENDED.

        Awesome. Just awesome.

    • WoodYouLikeSomeCash on 11/10/2020 - 20:03

      Which Telco?

Login or Join to leave a comment
Login Join