Optus - Major Data Breach

HardQuiz on 22/09/2022 - 14:14
Last edited 26/09/2022 - 10:08 by 1 other user

Some good resources here.

https://www.cyber.gov.au/acsc/view-all-content/alerts/optus-…

Optus has suffered a massive data breach, compromising the personal information of up to 9 million customers.

About 2.8 million customers have had all their personal details taken in the cyber attack, including their passport and licence numbers, email and home addresses, dates of birth and telephone numbers.

About 7 million had their dates of birth, email addresses and phone numbers stolen.

The breach involves both current and former customers.

This is worrying.

22/9: Optus’s statement.

Mod 26/9: Whirlpool - Check Optus Customer API

Mobile Data Breach

Related Stores

Optus
Optus

Comments

  • 82norm on 23/09/2022 - 08:09
    +2

    ServicesNSW we’re hacked sometime ago with more Crown Jewels data.

  • ruddiger7 on 23/09/2022 - 08:35
    +1

    I only joined these SOBs 3 weeks ago. I was waiting a month so I could jump onto any JB HIFI $400 giftcard port over deals which is my annual ritual.

  • Wilson Wallace on 23/09/2022 - 08:42
    +1

    The data has already been posted online and confirmed, it’s for sale. GG

    • Weezle on 23/09/2022 - 14:11
      +2

      Source?

    • Whatisthatvelvet on 24/09/2022 - 10:00
      +2

      Maybe Floptus should buy it back haha

  • shaybisc on 23/09/2022 - 08:46
    +2

    I've noticed over the years that when these things have happened it's not because there was a fiendishly clever genius nerd able to penetrate the best security systems on the planet. It's because some IT security dumbf*cks are using a ten year old version of a program. I doubt that is the reason here - say it ain't so, Joe, although why wasn't all sensitive Optus data encrypted?

    • cerealJay on 25/09/2022 - 15:56
      +1

      It's pretty much confirmed by reliable sources that human error at Optus, and a general culture of neglect and failure at Optus led to this breach.

      Apparently the hackers didn't even need to authenticate (break in), because the API was open, and they just needed to spam the endpoint millions of times to receive unencrypted customer data. Which is the worst outcome for Optus, because it reveals their staggering incompetence.

  • Jayd15 on 23/09/2022 - 09:02
    +4

    Does this mean we can terminate our contracts without paying out half the remainder?

  • Herbse on 23/09/2022 - 09:50
    +15

    If you've ever used any website or any major service online your info has been breached multiple times by now through the hundreds of breaches that have happened over the years.
    Major companies will be upfront about data breaches but smaller places won't bother to tell people or might not even know.

    As expected when we moved to relying on online profiles, everyone's addresses, phone numbers, names, email addresses and passwords for the sites that have been hacked are all available on data dumps. All someone has to do is go through the lists and start matching info for any missing pieces.

    The best thing people can do is to assume your full bio is out there and do the following to prevent further issues:

    • Use password generators for unique passwords for every site they log into.
    • Password manager to keep track of the passwords
    • Use 2FA where available
    • Make sure your mobile service has a warning or confirmation required prior to porting of a mobile number to another sim
    • Check your credit report using Equifax or similar every 2 months for unusual activity, attempts for credit card applications etc
    • Use a bank that gives you instant notifications of login attempts and notifications of charges to your accounts or transfers.
      I'm embarrassing for my friends who still have to log onto their bank account to see if I've transferred them money or to check when money has been removed from their account.
    • Keep on top of common scams by following sites like Scam watch or following youtubers like Jim Browning
    • DiscoJango on 23/09/2022 - 10:35
      +1

      Have absolutely no idea why youve been negged, everything you have written is correct. It truly is "Ozmoron" now.

      • Herbse on 23/09/2022 - 10:39
        +1

        I was confused as well. Maybe people don't like to believe it?

        I'd be keen to get a reply from someone who negged it if I'm wrong somewhere..

      • m34nstav on 23/09/2022 - 12:30
        +1

        I believe this was edited. Started with "not a big deal" or along those lines. I kinda think having 1 in 3 Australian's data stolen is a big deal!

      • 7ekn00 on 23/09/2022 - 13:26
        +8

        It's because he has no clue how much worse driver licenses and passport data theft is ;)

        It's completely different from the general rubbish he is going on about and password managers and 2FA will not have prevented this theft nor will it protect from the identity theft that can happen with drivers license and passport details stolen :/

        Ozmorons indeed ;)

        • m34nstav on 23/09/2022 - 14:11
          +3

          Yep. It goes beyond online. Passwords can be changed, but drivers licenses, passports, date of birth, addresses? The data released here can ruin people's lives and is very valuable to the right (or wrong) people.

          This is a huge problem. Millions of people have been exposed and there is nothing most of us can do about this now.

          • 7ekn00 on 23/09/2022 - 14:24
            +1

            @m34nstav: Put a 21 day halt on your credit report … It's the fastest and safest way to deal with it ;)

            That is what should be in the first post, not rubbish about password managers that would do nothing in this situation!

            • m34nstav on 23/09/2022 - 14:45
              +2

              @7ekn00: I've partially dealt with credit card fraud before, but what happens after 21 days, lets say 6 months time, they open up accounts randomly under people's names? My drivers license and DOB did not change, nor will they ever. I imagine many people will find out in the future as they go down this list and continue to do it to millions of people, even if only 1% stick that is a LOT of victims.

              • 7ekn00 on 23/09/2022 - 14:51

                @m34nstav: Can extend the block, etc
                Just means you have to be a little more calculating with credit applications :/

      • Herbse on 23/09/2022 - 14:51
        -3

        Oh well. Can't help everyone. Especially if they don't want to r we a whole post because it's too long

        • 7ekn00 on 23/09/2022 - 14:53
          +3

          Not the length, it's lack of relevance to the actual situation :/

          How does your response help protect people from identity theft when actual drivers licenses and passport details are stolen?!?

          • Herbse on 23/09/2022 - 14:55
            +1

            @7ekn00:

            Make sure your mobile service has a warning or confirmation required prior to porting of a mobile number to another sim
            Check your credit report using Equifax or similar every 2 months for unusual activity, attempts for credit card applications etc

            Those steps are for helping with identity theft and people using the data from the Optus breach to illegally port your number to get around standard 2FA security or apply for credit cards in your name.

            • 7ekn00 on 23/09/2022 - 15:00
              +1

              @Herbse: And that stops the thieves from applying for new credit / loans in a persons name how?!?

              WOW! you didn't port my number, but you have taken out 4 home loans and 12 credit cards in my name!! BRILLANT advice!!

              You do realise they use the drivers license / passport with THIER number for new credit RIGHT?!?

              But you keep peddling the relevance ;)

              • m34nstav on 23/09/2022 - 15:07

                @7ekn00: This is my concern. I have a business that requires credit so any halts on my accounts are not really possible, it would restrict my income and business. I would not notice fraud attempts until it was far too late.

                I am fairly concerned about the future impacts on me personally. My family is partially impacted too.

          • m34nstav on 23/09/2022 - 14:57
            +1

            @7ekn00: What gets me is they specifically asked why they were negged, then say "Oh well. Can't help everyone."

            Brilliant!

            • Herbse on 23/09/2022 - 14:58
              -1

              @m34nstav: Because they claimed my post had nothing to do with the Optus breach and only about password managers.

              Amazing!

              • m34nstav on 23/09/2022 - 15:00
                +3

                @Herbse: No, you originally wrote "not a big deal" in your post then edited it to a diatribe about password security when it is irrelevant and about personal data theft, not password management

      • Vanceer on 23/09/2022 - 18:51

        Probably victims of Jim Browning or Kitboga.

    • reacher on 25/09/2022 - 00:40

      Make sure your mobile service has a warning or confirmation required prior to porting of a mobile number to another sim

      How do you check that

      • Herbse on 25/09/2022 - 00:43

        Probably call the provider and ask. Most of them do offer an SMS confirmation. However I have seen an incident where someone on an Aldi plan got ported without the confirmation because the jacket used another Aldi Sim to steal the number. Apparently Aldi don't require confirmation when going to another Aldi Sim.
        So check on that too with your provider.

    • cerealJay on 25/09/2022 - 16:07
      +2

      If you've ever used any website

      Ridiculous comparison.

      We don't provide websites with date of birth and driver's license number. And those websites don't then store those details for years even if the customers leave, in an online accessible database, unencrypted. Why are you trying to frame this as "just another website breach"? It's not even close.

  • DiscoJango on 23/09/2022 - 10:34
    +1

    why does optus need peoples passport and drivers license numbers? am with telstra and pretty sure ive never handed over those types of details to a telco before…

    • Herbse on 23/09/2022 - 10:37
      +1

      if you're signing up to a plan, you're entering a financial contract with them. Like same day loans, you are paying off the cost of your phone and your plan on a pay back contract.
      So they take your identification details to use for debt collection if you ever decide you don't want to pay what's owed to them.

      • steve84 on 23/09/2022 - 21:45
        +1

        “if you ever decide you don't want to pay what's owed to them”
        That could be me after this #%*^ up

      • cerealJay on 25/09/2022 - 16:14

        pay back contract.

        Um… I had no such "pay back" contract with Optus. I had basic month to month internet until I decided to leave Optus in 2019 because their service was crap. I owed them nothing when I left, but they kept all my details including home address, drivers license etc in an online database, unencrypted, now leaked.

        Please stop channeling your inner Optus CEO with her downplaying deflective nonsense.

    • m34nstav on 23/09/2022 - 12:32
      +1

      When I joined Telstra 2 years ago they took my DL details to signup at JB. Also when I sold my business a couple months ago, transfering ownership of the business account with Telstra, the new owner had their DL details taken at a Telstra store. This is fairly standard for any contract.

  • RSmith on 23/09/2022 - 10:34

    https://www.news.com.au/technology/online/hacking/aussies-of…

    The breach is thought to have been launched through a weakness in Optus’ firewall and affects both current and former customers

  • Lord Fart Bucket on 23/09/2022 - 10:49
    +12

    Looking at the press conference of the CEO… what the hell is up with "we've done everything right, we've alerted the media, the authorities…"?
    If you did everything right, we wouldn't be in this mess.

    • glyptothek on 23/09/2022 - 21:50

      Get rid of Ms Bayer, but dont forget today's corporations are an IDENTITY likeable to a prson, so the employees even CEO are NOT responsible for the acts of the corporation

  • Blitz001 on 23/09/2022 - 11:41
    +1

    Quick everyone, change states and get your new drivers license!

    • kiitos on 23/09/2022 - 11:59
      +7

      I'm currently in the state of disbelief and it will take a while to change states…

  • alikazi on 23/09/2022 - 11:56
    +2

    My comment is going to get buried. But 2 things:
    1. Data breaches can happen to anyone even if a company takes utmost care and puts policies in place. These days systems have gotten difficult to hack but all it takes is 1 employee reusing their password or losing their device while logged into their optus account etc. Slowly but surely hackers get access to data.
    2. I used to work for Optus and I built a new feature that encrypts your licence, passport, personal details and only unlocks them with a face scan in the app. This feature is still in beta phase although its already been rolled out to customers and in stores. Hopefully Optus pushes all teams to use this feature to store and retrieve user data that way even if a breach happened the encrypted data would just be gibberish text.

    • deek on 23/09/2022 - 12:53

      Though data breaches are much more likely if the company has not supplied proper resources to their security team.
      It'll be interesting to learn how this breach happened. Assuming we get the full story eventually.

    • 2024 on 23/09/2022 - 12:59

      Interesting. Is the encryption key only on our devices?

      • alikazi on 24/09/2022 - 17:24

        No it's on the server and the device both. Basically end to end. But so far this feature is only implemented in the app. There are 3rd party libraries that offer identity check and they handle the differences between all passports, drivers licenses etc. We went with Mastercard ID for this. If you My Optus App you will see the ID by mastercard button on the For You tab. If you have an Android phone, yours truly built the feature.

        Ideally Optus will implement this feature to encrypt all data in all systems. It can make things complicated but it is a way to protect data.

        • cerealJay on 25/09/2022 - 16:26

          Will you be removing Optus from your resume? I would if I were you.

          all it takes is 1 employee reusing their password or losing their device

          But that's not what happened here, and I think you would know this. Optus wrongly exposed a dodgy API. In other words, your former workplace left a side door open. It's worth adding that encryption is not new. I don't think this is a good time to be bragging about some shiny new encryption you made at Optus. I was encrypting data with basic javascript libraries more than 10 years ago in my hobby projects. And I'm not even an expert in application dev, far from it. Encryption should be the norm, not some "bright idea" after everyone's details are leaked.

          • RSmith on 25/09/2022 - 16:46

            @cerealJay:

            other words, your former workplace left a side door open

            More like front door.

          • alikazi on 25/09/2022 - 17:13

            @cerealJay: Haha I'm just proud of my work and I know this is going to be integrated in their systems. It's relevant to the topic so nothing's wrong with mentioning it. I don't own the company and I didn't build the exposed API. You can redirect your frustration at the CEO of the company if you like.

            Also if end to end encryption was a norm that you "did 10 years ago before it was cool", what's app took 2 years to make itself end to end from 2014 to 2016. Skype isn't by default. Snapchat became encrypted in 2019. May be you can send them a hate mail for being late to the party.

  • postform on 23/09/2022 - 12:11
    +1

    Damn.. We (Optus users) are now going to be socially engineered and our accounts locked out. This is VERY BAD.

    • ProlapsedHeinous on 25/09/2022 - 19:29

      Not if you close your accounts and move to a different telco. Don't stand for their crap. vote with your feet.

  • mrXO on 23/09/2022 - 13:00
    +1

    Having worked in one of the telcos data warehouse systems, you can literally have access to all the customers accounts and their info. But in the last few years or so, data masking of sensitive fields were implemented so that no unmasked data field can be attributed back to an entity . But still, if you have access, you can still see all that.

    NVMO data are usually geofenced in their own data marts, which most people would not have access.

    Whilst no longer working there , I still remembered anyone could, including vendors from India could have download the whole customers database if they so wanted.

    What happened here I am surprised this did not happen sooner.

    • Lord Fart Bucket on 23/09/2022 - 13:13

      What happened here I am surprised this did not happen sooner.

      So far, i haven't heard about when this happened, how long it has been going for. All i have heard is when Optus became aware of it.

  • RSmith on 23/09/2022 - 13:05

    This is going to end up quite bad for the customers.

    • qwijibo on 23/09/2022 - 13:14
      +1

      But not for Optus management. Sure, some low level lackey might be fired, but the board of directors will still pocket fat bonuses.

  • Sleeqb7 on 23/09/2022 - 13:42
    +6

    I find out A DAY LATER THAN THE ANNOUNCEMENT in the form of an OZBARGAIN THREAD.
    What a woeful level of incompetence that they couldn't send out a text or email to their customers notifying them of the breach.

    • Ricketytruck on 23/09/2022 - 17:08

      I got an email 1.54 today

      • Sleeqb7 on 23/09/2022 - 17:13

        Funnily enough, so did I.
        A whole day late and approximately 4 minutes after I was in a live chat asking if my information had been compromised.

      • CC123 on 23/09/2022 - 17:39

        Was this the email you got?

  • lesher on 23/09/2022 - 13:42

    I used to be a customer with them and then ported out, I wonder if they still have my data as part of this leak… Probably, right?

    • RSmith on 23/09/2022 - 13:51

      Yes.

  • helpme on 23/09/2022 - 14:17

    Anyone know why they kept those details?

    • 7ekn00 on 23/09/2022 - 14:25
      +3

      So they could sell the details to third parties and call it a "hack" ;)

      • cerealJay on 25/09/2022 - 16:34

        Sadly plausible.

        Details are emerging that the "hack" wasn't even a proper hack. Password access wasn't even needed. Optus are hoping people don't understand, and are trying to frame it as "Optus is the victim". The truth looks more like that Optus is a victim of its own incompetence.

        And the CEO said "much of the information is stuff you share on Facebook anyway"… LOL, I didn't know you can just click on someone's Facebook profile and see their DOB, home address and phone number among other details.

    • RubyShoes on 26/09/2022 - 17:37

      Been calling round to find an alternative to Optus. Vodafone told me they keep the same ID document number data in case they need to do another credit check past the initial sign up. I asked why they would need to do this, and basically they run one anytime you change/upgrade your plan or services.

      So, essentially they are all keeping this data so that they can quickly sell you new products. Saves them time from processing and ID check, and stops you from not bothering because it is too much effort to resupply ID each time.

      Security breaches are just a matter of time. Optus was just the first. Any of these telcos (and it seems to be the done thing) could have been hit with the same result.

      • Miss B on 27/09/2022 - 06:52

        Optus didn't even have the right licence number for me, can't be too important.

  • verisimilitude on 23/09/2022 - 14:26
    +2

    Apparently the data goes back to 2017 because Optus is required to keep identity verification records for six years.

    But I'm a bit confused, wouldn't six years data mean it should date back to 2016?

    https://www.theguardian.com/business/2022/sep/23/optus-cyber…

    • machej on 23/09/2022 - 19:07

      They may have changed systems. For what it's worth I was a customer since then and wasn't impacted so it's possible it's less than the quoted number.

  • HardQuiz on 23/09/2022 - 14:45
    +3

    Well. I’m speechless.

    An update:

    'Human error' emerges as factor in Optus hack affecting millions of Australians

    https://www.abc.net.au/news/2022-09-23/optus-hack-likely-res…

    • ShouldIBuyIt on 23/09/2022 - 14:54
      +3

      Even the explanation given in the article is stupid. You don't load 9 millions of records in test, and you can always anonymise the data. Heads should roll.

      • PurchaseAnxiety on 23/09/2022 - 15:12
        +6

        Apparently they didn't load prod data into test, but instead gave a test server access to a prod API….and that test server was accessible to the public. Big ol yikes.

        • tomvghs on 28/09/2022 - 09:57

          @ShouldBuyIt, yea agreed….. should never be testing with prod data; they should be obfuscating/masking the data for test purposes.
          And they should be fully isolating prod and non-prod systems. The minute they connect a test system to prod it makes that prod system vulnerable too. A complete screw up of their design and architecture principles.

    • happydude on 23/09/2022 - 14:57
      +1

      Systems don't become vulnerable on their own.

      IT databases aren't a natural phenomenon so it was always going to involve a human making a mistake somewhere in the chain. Access through a weak API is not really surprising.

    • Lord Fart Bucket on 23/09/2022 - 15:15
      +2

      Well. I’m speechless.

      The error isn't the programmer. He/she will be scapegoated. The error is lack of security, system design and sign off processes. Blame those humans. The ones responsible. How the hell can a test network be exposed to the internet? Which clown signed off on that?
      I work for a major organisation… dev, test, preprod and prod all get their own security assessment and are all monitored for compliance.

      • isthisreallife22 on 23/09/2022 - 15:59

        The headline of that article (human error) doesn't match the description (it was all available through an api lol)

    • Clear on 23/09/2022 - 19:43
      +2

      I could name a few major breaches where it was down to human error. I.e. an old unpatched server was switched on because the UPS brought it up in a power outage when it should have been disconnected.

  • xdigger on 23/09/2022 - 14:51
    +2

    Can a hacker apply for a substantial loan with my details and then disappear? Can we sue Optus for losses if such an incident happen?

    • m34nstav on 23/09/2022 - 15:11
      +6

      Absolutely. There will be legal action from various solicitor firms notorious for this kind of thing and rightly so.

      I am fairly furious at the lack of data integrity from Optus. If anything impacts my business from these leaks I will come after Optus for damages, absolutely.

      • Ghost47 on 23/09/2022 - 16:40
        +3

        I am fairly furious at the lack of data integrity from Optus.

        I wouldn't be surprised if a lot of Australian organisations have poor cyber security practices to be honest, e.g. the big banks.

        A big part of cybercrime is social engineering (e.g. phishing), if you've ever worked for a large organisation of say, 1000+ people, you'll know stupid people exist everywhere.

  • ShouldIBuyIt on 23/09/2022 - 15:04

    from the CEO 4h ago

    • Lord Fart Bucket on 23/09/2022 - 15:16
      +1

      The quality of that youtube clip is as good as their world cup coverage.

      • tonyjzx on 24/09/2022 - 18:23
        +1

        tbf they are using Optus internet

    • roberte on 23/09/2022 - 15:44
      +4

      Optus CEO Kelly Bayer Rosmarin says the company's data breach was attributable to a "sophiscated" cyber attacker rather than the company's security competence.

      Is the hack because Sophie skated?

      • ShouldIBuyIt on 23/09/2022 - 16:24
        +2

        Tbh I didn't watch pas 2min.
        Did she really say that? Barely sophisticated when the test server was open to the internet.
        She was probably too busy buying her mansion for $15M overseas and selling her property for $3M. Rich problem hey.

    • machej on 23/09/2022 - 19:05
      +1

      Seems to have been removed now.

      • ShouldIBuyIt on 23/09/2022 - 21:54
        +1

        That's odd. They made it private. Something's fishy

  • kl2999 on 23/09/2022 - 15:28
    +4

    Any still using Password1 as their password please change it now. :)

    • Herbse on 23/09/2022 - 15:38
      +5

      Thanks. Changed to welcome1

    • RSmith on 23/09/2022 - 15:39
      +2

      Thanks for the heads up. Changed it to : abc123

    • deek on 23/09/2022 - 16:08
      +4

      It's all good. My password is hunter2. So it should be safe. Can't think of anywhere else on the internet that would have that password.

      • Caped Baldy on 24/09/2022 - 14:19
        +1

        That's weird, your password only appears to be ******* for me.

    • Grish on 24/09/2022 - 09:10

      Why? The last thing the hackers care about is logging into your stupid Optus customer account.

  • Associatedvchar @ Optus Accessories on 23/09/2022 - 15:54
    +1

    my number was in a data breach last year, and I've received a number of scam calls but the number of scam calls drop quite recently. now my number joint the Optus data breach party again and I've started to receive more scam calls today and probably even more afterwards :(.

    • bazingaa on 23/09/2022 - 16:47

      as you are "associated", how can we check whether are we in the list if we are former customers ?

      • netsurfer on 23/09/2022 - 17:04

        I tried calling Optus. The CSR could not help me (could no longer pull up my account since I am an ex-customer).

      • Associatedvchar @ Optus Accessories on 26/09/2022 - 14:56

        I got an email from Optus yesterday confirmed that my personal data has been compromised :(

  • netsurfer on 23/09/2022 - 16:13
    +8

    Quite disappointed with the way Optus handles this.

    • No easy way to get more information for customers and ex-customers (especially ex-customers, the is zero mentioning of those will be contacted).
    • CEO playing down information stolen saying that information has no financial impact (because password is not stolen). It is possible hashed passwords are stolen, it is just you cannot reverse hash to get the actual passwords.
    • Why allow test server(s) access to REAL production customer data? Optus should address this issue immediately.
    • Because it is test environment, it has less security measure. That is Optus' excuse? For a telco, that's irresponsible.
    • gentlekoala5906 on 23/09/2022 - 17:53
      +6

      "no financial impact" - but enough personal information stolen to perform identity theft (which could lead to financial loss)

    • Grish on 24/09/2022 - 09:22
      -1

      While I think Optus account passwords are largely inconsequential compared to the DL/Passport data + personal info.

      But it's trivial to "reverse hash" by brute force and there could be a huge amount of low hanging fruit passwords ie. any alpha-numeric passwords under about 9 characters in length.

      Assuming Optus use salt and the salt value wasn't part of the leak, would make this harder though.

      • subwoofer on 24/09/2022 - 12:01
        -1

        Hashes are one way and cannot be 'reversed', by brute force unless you have a spare 1000 years on your hand

        • Grish on 24/09/2022 - 12:14
          -1

          No, they can easily be reversed by brute force, it can be done within seconds like I said with weak passwords.

Login or Join to leave a comment
Login Join