Has CBA Had User Data Stolen? Unauthorised Charge from Shudder

So last week I received an unauthorised charge on one of my cards for $8.16 from a company called Shudder, apparently a horror show streaming service. I quickly called CBA and flagged the issue, they cancelled the card and have lodged a dispute. The strange thing is, this particular card has never been used as I just use the account for savings, the card sits in my drawer so the details are not online.
On the call to the bank, the agent had confirmed he had seen quite a few of these from the same company.

I researched it a bit more and found numerous other people, seemingly with CBA accounts, also getting the charge: https://au.trustpilot.com/review/www.shudder.com

If I had used the card for an online purchase then I would think that particular site had been hacked and the details stolen. The fact I have NOT used this card online makes me wonder if somehow details have been stolen from the actual bank and that information has not been made public? Or maybe Im being paranoid,

Related Stores

Commonwealth Bank
Commonwealth Bank


  • +1

    I have had similar things in the past. I once had it skimmed at a petrol station(no proof).
    3 other people in my car all bought drinks and all had the same activity. I guess if the card has been used in any other way it's hard to prove.

    • I once had it skimmed at a petrol station

      I'm wondering how they would've skimmed the cards - did the petrol station attendant handle the card at all? Usually, I just tap or insert the card into the machine without requiring any intervention from the attendant.

      • Mate got skimmed at Rockdale ATM several years back… Went to get $ out and there was nothing.

        Took him months to get his money back

        • The skimming device over the card slot of an ATM seems to be pretty common knowledge these days, but I'm wondering how they'd do it at the petrol station - especially with the tap and pay. Unless they have another reader right next to the tapping part of the machine?

          • +3

            @bobbified: I remember a few times when I went to pay sliding the card through style, they asked to "give me a go" .. which i refused…
            But once the bloke behind the counter for a customer infront of me, took customers card, and wiped it down behind the counter to clean it ???… then put some tape on it and gave it a go… it worked, but those seconds behind counter wiping it down could have been anything

            interesting, when cards first came out everyone was told to 'hide their pin' - now the machines are on stands and everyone behind you can see.

            • +1


              …they asked to "give me a go" .. which i refused…

              I wouldn't be letting them touch my card either! haha

              That sticky tape trick works for some reason. They've done it a few times in the past (on the counter) and it's worked! Nowadays, it's mostly tap and pay so haven't had to do it for a long time.

              I'm just finding it odd because bradl822 has said that "3 other people in my car all bought drinks and all had the same activity". I highly doubt the attendant would be dumb enough to ask to handle their cards and skim it under the table, so I'm wondering if there's some other way.

              • +1

                @bobbified: True, they never touched the card. Not mine anyway. We did go on a road trip however this was the only location we all made payments together, hence why we believe it be where it occurred.
                I probably should have followed up more, however once reimbursed and once I had a new card I just moved on.

              • @bobbified: yeah we used to put them in plastic bags and give it a swipe through that. plastic offset seems to be the go

      • No they didn't touch it at all, my best guess is a camera capturing the number. We all got reimbursement from the bank so never followed it further.

        • Strange - you could be right though…. Maybe they have cameras close by and zoomed into the POS machine!

  • Have you used that card ever ? I mean even at an ATM ?

    • Nope

      • That does sound crazy, you would think CBA would be investigating this if you have never used it anywhere. I would hate to think of the odds of someone guessing a card number. Should have paid attention in statistics

  • +1

    My partner had a US amazon prime subscription and a wellness app subscription billed to her CBA debit card. CBA refunded the money no issues.

    But honestly I think it's just luck of the draw, Perhaps her details were stolen from another site or just brute forced. They only charged around $60 total so not a massive deal.

    • I have never used the card. It went straight in to the drawer once I got it in the email. So it must be a lucky guess of card number and expiry date?

    • The US Prime subscription happened to me about a month back. On a CBA card I have never used physically online or in store (Apple Pay only).

  • +5

    Unlikely CBA has been compromised. Google "BIN attack".

    • +15

      For the lazy…

      BIN attacks are a type of automated card fraud attack that can adversely affect card holders, card issuers, merchants and acquirers. Using the first six numbers of a valid debit or credit card (the BIN), fraudsters can then generate multiple card numbers and automate scripted, low value purchases at online merchants.

    • But then why are some people targeted a lot more then others?

      I've had two credit cards for 12 years and never had a compromise.

      • +3

        It's just mostly bad luck, they aren't targeting you (the card holder), they are targeting the bank card number range…CBA would theoretically have the most active cards per BIN.

        • But how would you know?

          As someone who works in IT and deals with the same sort of thing but with passwords and online accounts getting hacked, you can always trace it back to the user putting their password into something dodgy, rather then their version of the story about how they only use their password for emails and always keep it secure.

          I imagine its the same for credit cards. The only reason I would believe OP is because an ozbargainer generally knows better.

          • @samfisher5986: Well I don't know for sure (no one can), but it's an educated guess. I'm giving the OP the benefit of the doubt because he said he didn't use it and this new comment https://www.ozbargain.com.au/comment/10861583/redir

            I also don't see why they would lie about an $8 fraud to randoms online, usually if it's friendly fraud it's for larger amounts.

            When it's the case of other people having multiple instances of fraud, I believe it would still most of the time be bad luck (using websites that are compromised), eg my wife's had 3 in the last year out of nowhere.

            Then there would be a percentage of people who are using compromised devices (or being careless/stupid like you say).

        • +2

          That's not possible. The expiry and CVV would also have to be valid, and any merchant processor doing that many invalid card numbers in rapid succession is just begging to be cut off the network. Brute force just isn't a thing.

          • @Kyanar: Yes, I stand corrected, more likely a compromise somewhere.

  • +11

    I'm surprised you got through to CBA, their call center times are utterly shocking…

    • +6

      utterly shocking…

      Makes me shudder

      • +2

        spent 6+ hours combined phone calls, last phone call they said they will call me back once #1 in the queue.
        1.5 hours later phone rings, spend 5 minutes inputting all my shit again, just to go back on hold for 28 minutes…. what the f??? is wrong with these mf's

  • I had that happen to a rarely used CBA card too. Called CBA and got the charge reversed. Apparently they're just typing in random card numbers.

    • +1

      Surely the payment gateway would stop once they have a few attempts with different expiry dates. Unless the bank allocates card numbers in a predictable way where you can work out the the expiry dates.

  • +1

    It doesnt help that CBA have a big photo of the first 6 digits of one of their debit cards up here:


    tip to banks and credit unions - never show the first 4-6 digits of your cards in any marketing material!

    Makes it very easy to BIN attack. I'd say a group of scammers must be using shudder to find valid credit card numbers

  • I've had this happen with a different bank. Someone tried to order a MacBook in Brazil using a debit card for a savings account that had never left the envelope it arrived in.

  • Funny you mentioned this, as I had a similar experience with my Commbank Spending Account about a month ago, but it was a $42.99 transaction from Google, and the description had an unknown persons name in the description (I do not know anyone by this name or even close, and a quick search on Facebook returned a lady from the Philippines). I do use the card for online transactions though so there is a chance it was compromised somewhere else, but I actually only use this card for 'known' transactions (i.e. by big known companies(apple, google, council rates etc.) and this is the first time this kind of thing ever happened (13+ years). Anything remotely dodge I use my credit card or single use cards (zip pay).

    I managed to get a refund from Google directly, and marked my card as stolen straight away so was issued a new one so no skin off my back, but the fact that this happened to you and you're also with Commonwealth is an interesting point. I'm still confused and unsure about where and how my card was compromised. Some of the ideas in the thread help shine some light at the possibilities, and maybe I was skimmed.

  • +3

    Better to lock cards which you don't use in the app.

  • +1

    Someone tried to withdraw cash from my CBA credit card at 3am in the morning about three weeks ago, use cardless function I assume. Message woken me up because I blocked cash in advance and my card is in my purse. 3am in the morning still took me nearly half an hour to get to them and they did not ask any questions, just said we need to cancel your card.

  • +2

    This happened to me twice where my card was charged by Amazon. CBA were quick to fix the issue.
    The card was never used and sat in a drawer as well.
    The replacement I received is going to be left unactivated.

    • I had the exact same thing, a charge for a prime membership - I have one, but it charges another bank. Almost identical scenario this card's in a shoebox, and has 4 recurring direct debits come out - CBA were very responsive.

  • I just got added into a "Shudder" account recently with my personal email. I don't typically use this email for anything either? I don't have CBA though?

  • My Wife and I had both our Debit Mastercards (linked to our main account) skimmed within a 2 week period. Mine was first and my wife's second. Never use these for online transactions and there would be almost no where we used both used the cards (other than Coles, Woolworths and relatively secure locations like that). I think it was a BIN attack the numbers on the cards were pretty close by a few digits. Both cases things were charged to Amazon (US) which I never shop with.

    One of our Credit Cards got hit the month prior for about $1000, although this is used for a lot of online transactions so that doesn't surprise me.

    All cards are with CBA. All funds returned. Mind annoyance by way of having to call them and wait on hodl for an hour, easier to go into the branch as it turns out.

  • +6

    Banks know exactly what is going on… they are powerless to stop it, so in effort to refrain you from being scared away from their service, they down play the events.

  • +1

    My girlfriend got an $8.18 charge from shudder too and she is also with CBA. She's only had this card a few months after cancelling the last one due to an unauthorised charge from Amazon.

  • Yeah, got hit on my CDIA account. I've never used that card at all. It's the free card that comes with the trading account.

  • Yeah I know someone that got the Shudder charge. Will cost the bank in man hours that's for sure.

  • +2

    I had similar issues with CBA on my card associated with my offset account. Never used that card for any online purchases. Although he charge was not from shudder but from a subscription to an app which converted documents to PDF.

    A couple weeks later had similar transaction on the new card they issued. I ended up closing the card facility for that account.

    I believe they had a major data leak and now they are just trying to cover it up

  • Been getting the same notifications from my CBA app recently, always a charge of about $8.13 from Shudder. Never heard of them, never subscribed to their service. Also I never use this card online, the only possible thing I can think of is it's linked to my Paypal but that's all. Otherwise I use the card at bank ATMs and tap to pay.

    Odd thing is when I check my account, there's no such amount being deducted. But I will contact CBA anyway just to let them know and for peace of mind.

    • +2

      The reason you don't see the charge is because CBA are identifying the charge and reversing it automatically.

      This really sucks because for every person it happens to, they need to cancel the card and get a new one, which means 7 to 10 business days without it, and having to cancel ALL associated direct debits, etc.

      Make sure you cancel the card, otherwise LARGER transactions might occur that WON'T be automatically cancelled. ;)

      • +1

        Thanks, you're right. When I spoke to CBA, they said it didn't appear in my transactions because it was automatically blocked. She asked if I wanted a new card and I was a bit hesitant, but glad that I did in the end.

  • On 4th august I was charged the same amount.. I was surprised too, i used my cba card to buy some lotto in feb and recently used it to deposit money in a cba ATM. I somehow didn’t notice the transaction alert on my mobile.
    Raised a dispute, got the money back. When I was talking to the the call centre rep on how my card details were compromised, she just replied they might have guessed the numbers.. I was waiting in line for almost more than an hour. SMH
    Then yesterday I saw this on 7news.. so I’m not the only one.

  • +2

    I have had this appear as notification three times already on my phone (two in succession). When I open the notification, it does appear as a pending charge. However, when I look for records on the web, nada. Something very fishy is happening.

    And of course the wait times on CBA phone line beyond an hour now.

    • The reason you don't see the charge is because CBA are identifying the charge and reversing it automatically.

      This really sucks because for every person it happens to, they need to cancel the card and get a new one, which means 7 to 10 business days without it, and having to cancel ALL associated direct debits, etc.

      Make sure you cancel the card, otherwise LARGER transactions might occur that WON'T be automatically cancelled. ;)

  • +8


    A user who started an OzBargain thread about this issue pointed out that the charge happened on a card that he never used.

    We're famous!

    • +3

      Not the first time an OzBargain thread broke the news

  • +1

    More anecdotes, but I had over $7000 worth of individual $200 iTunes purchases made to a card that I haven't even gone through the "Activation" process with. ING happily reversed the charges, but couldn't explain how they were allowed to go through in the first place.

  • I've had major issues with random Amazon and Amazon Prime purchases across 2 business accounts. 1 business account had the card locked enabled on the app. This has happened 4 times now. There must be something wrong with Commbank.

  • Got a notifcation that for a payment from Shudder middle of last month but when I opened the notification to see it in my bank history it had disappeared. Coughed it up to it being CBA being buggy.

    Then I got charged early this month again from Shudder and didn't disappear instantly, couldnt find any information so perhaps I was one of the first few that got hit. Had to change my card (and changed passwords for a few of my accounts just in case) which was a bit annoying. Glad to see it wasn't from a random online purchase and it was more of a user data problem.

    • +1

      The reason you don't see the charge is because CBA are identifying the charge and reversing it automatically.

      This really sucks because for every person it happens to, they need to cancel the card and get a new one, which means 7 to 10 business days without it, and having to cancel ALL associated direct debits, etc.

      Make sure you cancel the card, otherwise LARGER transactions might occur that WON'T be automatically cancelled. ;)

      • Yep I had my card cancelled straight away and it was a bit annoying without my card but at least it saved me from spending money where I shouldn't have :D

  • +4

    quick googlefu and found this:


    we are probably just seeing the tip of the iceberg

    • ay caramba :(

    • Interesting, but how does it explain this Shudder thing happening on my debit card which I have never used online?

      • -1

        It is easy to deduce the following:

        It is an easy to obtain dataset for the person who leaked it.
        This hints at some really lax security protocols.

        Think about it, you go to all that effort to do something that would take a professional hacker many years to, and you get it done and you dump it for free?

        It is probably something really stupid with how the banks control who has access to the DBs. We all know this is done offshore.

        I know some mugs in the forum are denying it, but is it not obvious?

    • +1

      I wonder why the local au banks dont just cancel all cards they know have been compromised via this list immediately, surely they'd have the list themselves by now.

  • I had a card (now expired) that was only used in this one supermarket's own gift card site. Someone used it to buy tyres or something in florida 1-2 years ago. I turned off oversea purchase and paywave after that.
    Last week I tried to use my new card at my usual place of purchase online and it was flagged as suspicious and disabled my card. Now I have to call them, they don't seem to answer messages in netbank.

  • We've had this happen to us. They refunded the money without question.

    It's my only explanation as money was taken off a card that never leaves the house and has never been used for any retail purchases.

    They're trying to keep a lid on it.

  • +1

    I also recently had the "Shudder" $8.30 and a $0.25 overseas transaction charge taken from my CBA account, also a $1.49 from an online payment company. Over an our wait on the phone to report the fraud with no call back facility, disgrace! Went in to a branch and they were as good as gold. The guy said that the card used was an old debit card from two years ago. I don't understand how that was still usable but I do understand that this reeks of a cover up and if CBA know they have a problem then CBA should be a lot more proactive in dealing with it. Exactly how many people has this happened to ?

Login or Join to leave a comment