Optus - Major Data Breach

HardQuiz on 22/09/2022 - 14:14
Last edited 26/09/2022 - 10:08 by 1 other user

Some good resources here.

https://www.cyber.gov.au/acsc/view-all-content/alerts/optus-…

Optus has suffered a massive data breach, compromising the personal information of up to 9 million customers.

About 2.8 million customers have had all their personal details taken in the cyber attack, including their passport and licence numbers, email and home addresses, dates of birth and telephone numbers.

About 7 million had their dates of birth, email addresses and phone numbers stolen.

The breach involves both current and former customers.

This is worrying.

22/9: Optus’s statement.

Mod 26/9: Whirlpool - Check Optus Customer API

Mobile Data Breach

Related Stores

Optus
Optus

Comments

    • jrjr on 26/09/2022 - 23:24

      my email specifically said “No ID document numbers or details have been affected”

      • Cherry12 on 27/09/2022 - 09:59

        Did you check your own record on the AP? To confirm if didnt have any license or passport ID?

        • jrjr on 27/09/2022 - 12:13

          looking at the Whirlpool links and I can't see my ID details stored anywhere on the API, so I'm assuming if your email didn't specifically say they're unaffected then you're stuffed

  • DiscoJango on 26/09/2022 - 18:19
    +5

    I would be happy with a rule where, any new account of any type requires you to go to a physical store to verify your identity. The extra time spent is worth it to me, compared to someone trying to open a bank account or do steal my tax return

  • zeoko on 26/09/2022 - 18:33
    +1

    I chatted with an agent on Optus app to ask what id document was stolen. The agent said they cannot reveal that to me due to privacy reason. Is this everyone else's experience too? Do I need to go to a store? I was with Optus 3-4 years back.

  • scrimshaw on 26/09/2022 - 19:02

    For those affected: You can register interest on Slater / Gordon's websites and opt in to receive notifications on whether you can claim compensation. https://www.slatergordon.com.au/class-actions/current-class-…

    Here's the privacy policy for those who are privacy conscious (read it before you fill in the forms)

    Q: What happens after I register my interest?
    Once you’ve registered your interest, we will keep you up to date about new developments in the investigation.

    Q: What is a class action?
    A class action is a type of legal proceeding in which one person, the representative plaintiff, brings a claim on behalf of a wider group of people who have been affected by the same conduct. By grouping claims together and pursuing them collectively, the overall value of the claim makes it economically worthwhile to do so, even if the value of individual claims are modest.

    Q: Will I have to devote my time or resources to the legal proceedings?
    Initially, we will only require you to provide the information requested in the registration of interest process. At a later stage, if the investigation progresses to a claim, we may get in touch with you to request further information.

    Q: Will my personal information be kept private?
    Your personal information will only be used for the purposes of the legal proceedings as required by the court, or otherwise by law. In all other cases, we will seek your consent before disclosing any of your personal information. We will not disclose any personal information to third parties, including other clients.

    • Yoopy on 26/09/2022 - 19:04
      +3

      its asking for mobile and home address…not going to do that just to register interest, and become victim again.

      • scrimshaw on 26/09/2022 - 19:07

        Give fake name, Mobile phone can be burner SIM, and your address can just be a PO BOX. Note that they won't be matching your details with what was leaked by Optus, rather they are just providing you generic updates.

        Most Ozbargainers who enter competitions regularly will be already giving out their personal details to marketers already.

    • fuzor on 26/09/2022 - 23:01

      Don't do it. No one benefits other than the lawyers. Plenty of people here are customers and this sort of legal action would just eventually increase prices for everyone.

      • pippohippo on 26/09/2022 - 23:32

        agreed. look at the robodebt…most people got nothing once the lawyers took their massive cut. Using people's detriment for their gain even if the "intention" was good

      • cerealJay on 27/09/2022 - 02:18
        +2

        Disagree. Class action here we come. I'm a former customer, so if your prices increase… do like the Optus CEO and cry a river.

        • fuzor on 27/09/2022 - 08:16
          -3

          You do you then. Hope you get a lot out of the $100 that'll be left for you after destroying a major Aussie employer.

          • easternculture on 27/09/2022 - 09:42

            @fuzor: No one will loose a job
            Elon musk will buy optus for a few billion

          • RSmith on 27/09/2022 - 09:45
            +1

            @fuzor: How many jobs vs how many people's lives could be destroyed? Not even comparable.

          • slowmo on 27/09/2022 - 12:46
            +1

            @fuzor: so optus employer > impacting millions of other individual's lives? really?

            the same incompetent ones that signed off an exposed unauthenticated API by highly paid business owners, project managers, architects, security people engineers and audit/compliance teams that didn't pick this one up and said "she'll be right mate, we need this API delivered asap!" ?

            the same one that went 'boohoo' on TV but real quiet on the backend to paying customers?

            we need to spend countless hours and stress dealing with identity theft and fraud because we deserve it?

            just checking to see if i got that right.

            • fuzor on 27/09/2022 - 16:06
              -1

              @slowmo: Does not mean that you have to sue them. Legal action doesnt benefit anyone other than lawyers.

              And everyone thinks they can communicate or code better until they're faced with doing it themselves.

              No point in crying after the milk is already spilt. You judge a company by how it deals with the situation in the coming months after the leak.

    • umoddbro on 26/09/2022 - 23:08
      +1

      Probably get 10 cents out of it, lawyers will be the ones laughing all the way to the bank… I prefer they get fined by the government or TIO instead.

  • HardQuiz on 26/09/2022 - 19:37
    +3

    On abc730 Home Affairs Minister isn’t buying this as a
    sophisticated attack.

    https://twitter.com/abc730/status/1574331416783253506

    • apsilon on 26/09/2022 - 20:55
      +2

      isn’t buying this as a sophisticated attack.

      It wasn't. Basically not only did they not lock the door, they left it ajar.

    • slowmo on 27/09/2022 - 12:48
      +2

      it's not.

      and remember optus tried to blame it on the programmer.

      this is incompetence.

  • Godric on 26/09/2022 - 20:26

    Previous customer, still no contact from them : D

  • glyptothek on 26/09/2022 - 21:33
    -5

    Beware Dont twitter anything about @kellyrosmarin or @sallyoelerich becasue you will be shot down by Twitter By the way, Shana tova aka Happy Jewish New Year Kelly Rosmarin You certainly ruined my Rosh Hashanah weekend but not yours of course. And @sallyoelerich interview on 2GB.com.au today Positively incompetent and Schamloes aka shameless

    • Nathw on 26/09/2022 - 23:30

      Which universe are you from?

      • franco cozzo on 27/09/2022 - 06:34
        +1

        wrong thread? wrong website?? wrong planet???

  • HardQuiz on 27/09/2022 - 06:51
    +2

    The recent data release from the alleged hacker (re "10.000 record from address file") includes details of 55 Medicare cards, 3246 driving licenses, and 261 passports.

    https://twitter.com/Jeremy_Kirk/status/1574493399222083586

    • neonlight on 27/09/2022 - 08:12

      Sounds like Optus won’t pay up

      • slowmo on 27/09/2022 - 12:52
        +1

        optus can't secure their sh it properly, i doubt they could even act fast enough in the interest of their own customers.

        they failed their customers before in this breach, and it's consistent with their behaviour to fail their customers again. despite what they claim on the PR spin.

        not saying they should pay the ransom, but they aren't communicating properly for a billion dollar company with dedicated PR departments.

    • RSmith on 27/09/2022 - 08:40
      +1

      Where is the data posted to? Just wanted to check if I am one of the 10000 unlucky ones :(

    • OpenAI on 27/09/2022 - 15:25

      Wow just woww

  • FullPrice on 27/09/2022 - 08:26
    +4

    Anyone remember?

    https://twitter.com/David_M_Green/status/1217963902056558592

    Hey
    @Optus
    , I just learned you are using an image of my driver’s licence as an example on your website without asking me. Can I have some money please?

    • ChillBro on 27/09/2022 - 08:40

      From reading his comments, the scumbags didn't even pay him.

      • Brick50 on 27/09/2022 - 11:58

        I mean he already uploaded the photo to his public blog, not like the information wasn't already out there.

  • easternculture on 27/09/2022 - 09:52

    Come to think about, unless the leaked data has expiry date of the license, you cant do much with just the number alone

    Anyways, i have changed my address on the license and changed the 2FA mobile numbers on my bank accounts.

    • RSmith on 27/09/2022 - 09:58
      +5

      Guess what… It has the following:

      "documentNumber":"xxxxxx",
      "documentType":"Driving Licence",
      "jurisdictionType":"QLD",
      "personId":"xxxxxx",
      "issuingJurisdictionName":"QLD",
      "validityEnd":1729605600000,
      "validityStart":0,
      "isPrincipal":"1",
      "isDefault":true,
      "lastUpdateDate":"10-Dec-21 17:21:05"

      all available in JSON format.

      • easternculture on 27/09/2022 - 10:01

        Ohhh, shit

      • prhino on 27/09/2022 - 10:27

        Some the expiry dates are incorrect though

        • Weezle on 27/09/2022 - 10:45

          What if you renewed your actual license?

          Would the expiry date change?

          • prhino on 27/09/2022 - 10:50

            @Weezle: The expiry date they have for me doesn't match any expiry date I've ever had.

            • easternculture on 27/09/2022 - 11:12

              @prhino: Yes.

            • PopCounty on 27/09/2022 - 11:17
              -1

              @prhino: The date gets encoded for some of DBs. So unless you can map out the date in Day Month Year format (any sequence) and then validate to be false, be assured the encoded date value is correct and as recorded in system.

              • prhino on 27/09/2022 - 11:51
                +4

                @PopCounty: It's not encoded, it's just in epoch/unix format. A given ephoch/unix date will covert to the same date in human readable form, however you format it.

                1664243336 = 27/09/2022, 09/27/2022, 27 September 2022, September 27 2022 = all the same date

  • soaringphoenix on 27/09/2022 - 10:03

    Is Moosemobile affected by the breach?

  • RSmith on 27/09/2022 - 10:07
    +6

    Optus CEO is either a liar or doesn't understand much about technology…

    "Our data was encrypted and we have multiple layers of protection," Bayer Rosmarin said on ABC Radio. "So it's not the case of having some completely exposed API sitting out there."

    Everything is in plain text. Lol.

    • prhino on 27/09/2022 - 12:04
      +1

      She probably thought that the field names (indentType, indentValue) would be too confusing for the hacker :)

    • slowmo on 27/09/2022 - 12:56
      +3

      you can have multiple layers of protection, but the API fully decrypts that and gives it to you on a platter in plain text.

      this is the worse part….. a lot of software developers don't understand this concept either.

      • RSmith on 27/09/2022 - 13:03

        To decrypt it needs to be encrypted first… Unfortunately, not much data is encrypted and is stored as plain text in the database.

      • od810 on 28/09/2022 - 00:21

        The api doesn't need to return plaintext id information. In fact, the data can just be one-way hashed. There is nowhere in the front end system show ID information. Optus call center doesnt need to know it after the first initial credit check. If they want to re-verify id, one way hash is enough similarly to password.

    • c64 on 27/09/2022 - 13:31

      lol can she not say something without getting egg on her face?

    • George Washington on 27/09/2022 - 18:33
      -3

      lets be real here she probably doesn't even know what IT is..

      Women in CEO these days are a publicity stunt. People should be hired for their skills not just a tick box quota

      I support all kinds of gender. I just don't like it when unskilled people because of a profile is hired to meet some diversity paperwork.

      I have worked in big tech firms and u see it all the time. People being hired into positions out of their place

      • Cheaplikethebird on 29/09/2022 - 07:50

        Mate no CEO, man or woman, knows shit about IT. Of all the people in a company they’re usually the worst.

        • George Washington on 29/09/2022 - 09:57
          -1

          how about the ceo of atlassian? or google or fb?

          Im just saying putting people into roles to fill quota is the worst.

          The optus crying oh we got hacked… Cry me a daymn river if u want… u left the door open. Have we heard anything from the ceo last few days

          • George Washington on 29/09/2022 - 09:58

            @George Washington: Im part of the breach aka my details have been leaked being a former customer 3 freaken years ago. I rang up optus 4hr wait.. we are unable to verify if your details have been leaked…. so we cant offer you a voucher or reimbursement?

            seriously…

            • Cheaplikethebird on 29/09/2022 - 10:34

              @George Washington: Yeah ok sure, if you cherry pick the CEOs of the top global IT firms they probably know a thing or two. The vast majority though are IT illiterate, I know from experience. This has nothing to do with gender quotas.

      • slowmo on 29/09/2022 - 10:47

        this is a really weird hill to die on mate.

        blame the CEO for building a culture of complacency and rewarding only 'good news'… to the point that people don't bother or don't feel safe for calling out idiotic implementations.

        or are you misunderstanding the purpose of leadership roles?

        • George Washington on 29/09/2022 - 11:07

          leadership roles are a marketing term.

          No Im not saying gender quota. Im saying hire people fit for purpose.

          My last contracting gig every quarterly presentation. its always about the gender gap and gender quotas… in my head why are we pointing this out.

  • Richmond Tigers on 27/09/2022 - 10:09
    +7

    Hackers can have my details, I have no money and my credit rating is balls, 3 steps ahead mofos.

    • slowmo on 27/09/2022 - 16:36

      you kid, but even if you are brokeass, people can use your details for a lot of other things that will make you have a bad time dealing with government bodies or any companies needing credit.

      need internet access to browse ozbargain? you need id / 100pts for pre-paid, plus credit checks for post paid.

      sim cards and internet access is extremely low bar, and if you think dealing with telcos are bad, try dealing with utilities companies.

  • furyou on 27/09/2022 - 10:20
    +3

    "including their passport and licence numbers, email and home addresses, dates of birth and telephone numbers"

    This is why 2FA via sms is stupid. I had my phone # stolen once, using a subset of this info. Then all my accounts changed pw, using the new phone #.

    Seriously "email and home addresses, dates of birth and telephone numbers" is mostly public knowledge, which loyalty program doesn't have it? Even your local restaurant has this.

    And we can't change these when compromised.

    passport and licence numbers are only secret until companies require us to give it as ID. Then it's as insecure as the rest.

    • slowmo on 27/09/2022 - 16:40

      people need to understand data can be aggregated.

      remember uber hacked?

      i'm mr wong nummer on uber eats.

      it's got my home delivery address and an unique email.

      but with this optus attack, they can match a higher fidelity profile of me with a real name with the address + mobile , etc.

      it is not 'insecure' as the rest. uber might be complacent, but optus is incompetent.

      • furyou on 27/09/2022 - 16:55

        can't get my family to use unique pw, let alone email in signups.
        aah I duno, I use real name in restrnt bookings so it's all out there.

        • slowmo on 27/09/2022 - 17:04

          Sometimes it takes a real fraud to take place before people starts to wake up. I think that's okay, because it's a choice. Your identity/money, your risk.

          For the majority of others who are unaware and wants to understand how bad it can get, they will want to be start asking questions.

  • mboy on 27/09/2022 - 10:35
    +3

    Potentially big news: The "hacker" (I'm using that term loosely) has removed his original post and has put up a new post saying he’s backing off.

    He’s said he’s sorry to the 10,200 people he leaked and he’s deleted the data.

    I suppose this could be the end of it, but I’m way too sceptical. Let’s see.

    • RSmith on 27/09/2022 - 10:38

      Data is already out there in the wild. BTW, this hacker seems fairly immature

      • easternculture on 27/09/2022 - 10:43
        +1

        Probably got death threats

        • slowmo on 27/09/2022 - 17:06

          lol. for asking way too below market for that sort of data.

          undercutting ransom groups.

          • easternculture on 27/09/2022 - 17:14

            @slowmo: Dont underestimate what crime syndicates would do for that information

            • slowmo on 27/09/2022 - 17:20

              @easternculture: i think you underestimate that if you are partaking in that sort of activity to only get death threats from crime syndicates.

  • cooni on 27/09/2022 - 10:41
    +3

    https://twitter.com/joshgnosis/status/1574554058555215872

    To me it looks like Optus paid the ransom. Thread on the breached forum is gone now.

    • Heaps for Cheaps on 27/09/2022 - 12:00

      Well, I am thankful, my data was worth more than the 10c portion it cost if Optus paid for the ransom…

    • USER DC on 27/09/2022 - 15:03
      +1

      Their reputation has been already trashed. Hopefully people do move their businesses elsewhere. Personally I dont care if Optus goes bankrupt/liquidation or whatever. To me it seems like Australian government agencies forced Optus to pay money, or optus put in pressure to pay Ranson by government agencies to prevent any further Australian citizen's data leaking.

      This isn't as simple stuff leaked like SB data breach, but passport, driver's licence number, medicare, and general leak name number email address password etc.

      I still do not believe that whatever credit statement proof one gave to optus has not been leaked. I would definitely be closing the any bank account/cards linked to any Optus transaction. I hope that I would have had used one time disposable cards.

  • porsche26c on 27/09/2022 - 10:47

    Got my email this morning, saying name and email address but no license etc.

  • Spizz on 27/09/2022 - 10:51
    +1

    Posted by the hacker (Take with a Huge Grain of Salt) from the forums-

    https://forums.whirlpool.net.au/thread/3z4yl2qw?p=188#r3747

    and here-

    https://www.crikey.com.au/2022/09/27/optus-hacker-data-breac…

    Maybe Optus paid the ransom? Or the hacker is lulling everyone into a false sense of security to be less vigilant and will still sell the data privately?

    As for Equifax, they seem to have their own issues-

    https://www.choice.com.au/consumers-and-data/protecting-your…

    • NigelTufnel on 27/09/2022 - 11:27

      This is so weird… WTF is happening?!

    • slowmo on 27/09/2022 - 16:00

      here's food for thought: hacker realised the price was too low when he's getting offers from other groups to pay more than $1mil.

      this is very high fidelity data, not some lul haxxors php pwnbase.

  • OpenAI on 27/09/2022 - 10:55

    Can someone pm me the link I have like 20 pre paid Optus services!

    • RSmith on 27/09/2022 - 11:31

      Link doesn't exist anymore.

      • cooni on 27/09/2022 - 12:08
        +3

        The for sale / ransom demand post is gone.
        The actual data is still definitely there (hosted externally to the breached forum).

    • OpenAI on 27/09/2022 - 12:00

      fudge me details are on the list hope I can change my DL number

    • c64 on 27/09/2022 - 13:41

      I have like 20 pre paid Optus services!

      your information can only be stolen once

    • yoquierotaco on 27/09/2022 - 22:40

      did someone pm you the link? link was deleted but then reposted.

  • glyptothek on 27/09/2022 - 11:38
    +1

    Got a new dirvers licence here in SA today - didnt need proof although took it along - used my current foto, same expiry date new number - hard licence in 5 days, new digital licence is i paid the 20 apart from 20 minutes wait, the actual time with a CSO at Service SA was an efficient 5 minutes

    • USER DC on 27/09/2022 - 15:10

      Yeah I am glad they finally put this measure in place. I went as far as to get an interstate licence. Couldn't have been more safer. I probably wouldn't have gone if it wasnt for this breach, and me having no clue Service SA will replace driver licence no. given their website still says nothing about it, while other eastern states well on top of acknowledging there may have been a ID leak breach due to optus.

      Hey I am surely seeing government holding OPTUS liable for millions of $$ as a cost incurred by government agencies in issuing, posting hundreds of thousands ID's from various different government departments.

  • NonSense on 27/09/2022 - 12:22

    who has that 10k data? just trying to see if I'm one of the lucky one.. fk optus

    • cdaddy on 27/09/2022 - 12:30
      +1

      I can confirm you where on it ;)

  • Ragnarok1982 on 27/09/2022 - 12:57
    +1

    I bet optus paid them off .. what’s a couple of mil compared to the loss in goodwill and also the longer this drags on the more lawsuits and problem they will find themselves with the gov/authority. We end user are f tho.. how would we know the hackers wont resell all our info on the dark web.. seriously this is all just a clusterf.

    • RSmith on 27/09/2022 - 13:04
      +1

      Will Optus still pay for the subscription to Equifax as was mentioned yesterday.

      • easternculture on 27/09/2022 - 13:08
        +4

        Just had coffee with optus CEO and they will still pay if you have an ozbargain gold membersip

      • NonSense on 27/09/2022 - 13:44

        only if you had a chat with Muzeeb

        • RSmith on 27/09/2022 - 14:02

          I am not trusting mujeeb anymore.

    • cdaddy on 27/09/2022 - 13:51
      +1

      Apparently Optus never communicated once with them. The data is a gold mine and some other "state actor" would easily cough up over 1 mil for it

      • RSmith on 27/09/2022 - 14:06

        Who knows if money and data have already changed hands…

  • Ash-Say on 27/09/2022 - 14:14
    +1

    Chaos has begun

    https://www.news.com.au/technology/online/hacking/pay-us-ter…

    Optus has screwed people for life!!!

    • easternculture on 27/09/2022 - 15:02
      +1

      Its probably the 10000 that got leaked.
      The file was prpbably downloaded thousands of times and people are taking advantage

      • NigelTufnel on 27/09/2022 - 15:07
        +1

        Undoubtedly. Probably some high school kids that downloaded the data and want to play silly buggers and mess with people.

        Clearly very sophisticated asking for a direct deposit into their bank account. lol

        Still scary to have all your info out there for anyone to access though…

Login or Join to leave a comment
Login Join