Hot off the press. Our good mate “optusdata” has decided to completely backflip on his plans to hold Optus ransom for
👉😐 ONE MILLION DOLLARS
In exchange for not selling all their user details on the digital black market. “Too many eyes” he says, “Australia will see no gain in fraud”, in an apparent change of heart. At least on the surface. But something seems a little off about it all, what do we reckon is REALLY going on?
Enough upside if they need to pay $29 per person to get their licence updated, thats only 51,725 licences to hit $1.5m
Grey area, but paying a ransom actually puts the payer at risk of criminal charges.
I can’t see any CEO ever agreeing to pay if they risk being charged over it.
What sort of risk / criminal charges does this open Optus to?
https://www.kwm.com/au/en/insights/latest-thinking/cyber-att…
Basically, if the money you pay is subsequently used for criminal activities, you can be charged with funding crime. Similarly, if the money ends up with a terrorist group, you can be charged with funding terrorism.
Wait, I'm confused about the movie. So the cops knew that internal affairs were setting them up?
What are you talking about? There's nothing like that in there!
lol I get this reference . its gold!
LOL totally legit
Look pay me millions I want release the data that I say I have
the data that I say I have
It wouldn’t be hard to prove, just send a copy of said data back to Optus as evidence. They can quickly cross reference.
What is not stopping random people msging others bluffing they have any details.
Just ignore and block, do not pay anyone anything if you get asked to.
Others don't have a sample set of 10000 user details to provide?
Tomorrow, hacker releases the whole data set because it wasnt about the ONE MILLION (lol) - it was about seeing the world burn.
I guess the AFP are looking for Dr Evil given the Sum demanded.
Damn the data is only worth 1 mil lol.
Can't even buy a house in Sydney with that
But it can in Uzbekistan, not to mention a flock of sheep.
who mentioned new zealand
I'd hazard that the person likely told a few mates or peers about the vulnerability beforehand, whether a humble brag or whatnot and wanted a quick and easy cash grab. If it were a professional, they would have set the sum higher and expected insurance to cover it if there was a payout or started selling it off already once there was no payment from Optus.
The public pressure and forcing AFP to prioritise this probably is a factor in the person thinking they're in over their head. Highly doubt Optus paid.
The release of 10,000 extra details before this decision makes it seem like an emotional response before the public statement of it being deleted and the only copy etc.
Script kiddie realised he forgot to switch on his VPN while scraping
I lol'd hard
what sort of pro hacker would only have 1 copy of such valuable data ???
he would have at least posted up on here asking best way to have data stored
someone who wanted to sink the stock price? Maybe look at large shorts before the leak. Might have made his money over the weekend and not need the "ransom". Probably no safe way to get the ransom paid..
Not much movement on the price of Singtel shares.
Theres a lot more to play out with this yet.
Now apparently medicare numbers have been breached… not sure what the panic with this is ?? Identity theft?
https://www.news.com.au/finance/business/technology/customer…
Some people probably used their Medicare card as an ID form so of course they'd be compromised. Optus said identity documents ie could be anything that person used for ID on the account.
How do we know this is the actual hacker. Who's to say it wasn't Optus that posted the message to wriggle off the hook. Time will tell.
I agree, probably Optus trying to get out of paying for free credit monitoring to "most affected" customers
Few other options here
Person with ransom isn't the original/only source of the data, maybe part of a group and trying to cash in. Rest of group threatened to gut them, so they retreated
Value of data has been dropping like a stone since they gave a week to clean up the mess. Got a decent offer from a third party and sold it
Optus hired someone with special skills to track down hacker, hacker now on the lam after receiving parents pinky toe in a box
"I AM L33T HACKER, YUO WILL NEVER CATCH ME…. HELP, MY MOUSE IS MOVING ALL BY ITSELF"
Encrypted data, got drunk on fermented goats milk while dreaming of the million dollars, forgot password
Paying less than 10c/user for this data makes sense for Optus, and the hacker rather that than selling details a few $ at a time on forums.
Another poll option:
1) Amateur, likely individual, hacker stumbled across an easy scrape.
2) Posted their loot online thinking they could make a quick buck (completely undervaluing the information that they have which points back to their amateurism). Draws international attention.
3) Professional/national hacking groups see the real value in the data and turn their full and undivided attention to this person and either hacks the data from them or forces them to hand it over.
Could you imagine groups that are capable of taking entire nations/world's largest corporations down, focussed just on you? You'd be handing over the data and crawling in to a cave with an air-gapped device to keep you warm with limewire'd movies from the 2000s for the next 10 years. Think of how much effort some groups go to to steal just one identity.. imagine 10 million. Even if only one in a thousand is viable, that's still 10,000 identities that can be used to access many tens, if not hundreds of thousands in credit/goods. That's ~$100 million dollars of value at just $10,000 per identity. You don't think $100 million is a large enough bag of loot to attract some really talented hackers?
So this guy, who's clearly smart enough to hack Optus is just casually running vulnerable internet facing software on his computer, or he's dumb enough to fall for a phished link? Doubt it.
Just so you're aware, APIs are something that a taught in 11th grade High School these days. An unauthenticated, public facing API is practially a free for all.
Most APIs you'll find that are public facing require some sort of log in, but once you're logged in and provided the token in the API request, everything you do against that API will be logged against your account.
An API that was open and unauthenticated like Optus just means the 'hacker' needed to know the api endpoint to hit, which is a URL, and with a looped script could have grabbed everything in a short amount of time
For example, https://api.optus.com.au/users/683761/information (not a real URL) could display data about user 683761, all he would need to do then is to increment the number and save the data from the next user, and so on.
Not difficult stuff. If he was smart, he would do it on a VPN so that his IP wasn't revealed accessing the endpoint, but there's all kinds of vulnerabilities if you aren't smart about fetching 7 million rows of data
I found some extremely useful information on how to protect your personnel data against cyberattacks here
Not mentioned, but very common: Someone else, who the data is valuable to, paid more money.
Ignoring option 5: He lied to get attention off the scrape. The data isnt as valuable to sell when everyone is changing their details
My personal guess. Guy got caught but getting them in legal trouble is a hard one because the data was technically public/available and wasn't some form of decryption/break/hack.
Normally a company when they get hacked (like playstation 3) could sue $$$ for damages but dude probably doesn't have much and going through court for a few grand just leaves this further in public eye for Optus.
So agreement was made for hacker stipulated by whatever cyber agency is involved to bail out and never touch and not go near Optus or personal data or something again, or they'll do everything to come after them.
Its very interesting to see how many here think that Optus paid out the ransom. There is absolutely no benefit in doing this and is rather a higher exploitation risk.
Who would believe that a hacker has a decent heart to hurt nearly 10 million people and then just wish to take it all back. This sounds dodgy and amatuer to the max.
Not to mention when someone pays a ransom what guarantee is there to state that the hacker will follow through with his commitment to lay the matter to rest? Who in the right mind would believe a cyber criminal's word?
The hacker could just easily get paid and still leak the personal data. I doubt Optus is that stupid. Instead they have better luck compensating customers to protect their identity.
If they don't honour ransoms, it doesn't take long for them to stop being paid. If they're at all professional (or don't want to attract anger from others in their community) they'd honour a ransom paid.
Same as ransomware criminals, they've got a great reputation for giving your stuff back if you pay up.
There are reports of paying the ransom being common in the past few years as they price it relatively low compared to the company size.
There is absolutely no benefit in doing this and is rather a higher exploitation risk.
Disagree. Apart from making a problem go away (though I would debate that Optus and the Government need to be accountable for their actions following this breach) there are people skilled with tracing transactions through the public ledgers back to the individual responsible for an account. IIRC - Monero was requested for this ransom which does have some "privacy-enhancing technologies" but I would argue that even by liaising with the person responsible would provide some small piece of information which would be enough to track them through additional means.
Do I trust hackers? No. But sometimes you need to let out a little line to properly set the hook. Besides which, its $1m (asking price, who knows what the actual final price was), its not exactly a massive loss.
My theory is this amatuer drew so much attention at international level that he became a target for other hackers. Put aside your criminal hackers there are also ethical ones that exist too. Once you have that sort of target on your back you would think the fun and games are over. Take ANONYMOUS for example, they could easily expose this fool. Either way, I believe someone caught onto them and told them to shut it down.
I smell something fishy happening here, if you understand the financial gain to be had and methods that could be used to take payment without being caught then you would also be skeptical. I reckon they got paid by an anonymous party wanting the data, and now 'optusdata' is trying the good ol back pedal to get the remaining 'Eyes' off of them and lead everyone to believe they had a change of heart….. I would do the same in their shoes.
Not that I would ever put 9+ million people at risk for my own personal gain, but if I was the 'Hacker' I would have sold the data via a DeFI crypto transaction, left the money sitting in the DeFI wallet for a few years (Just encase it's a government body or Optus themselves that made the payment) and wait until the dust settles then devise a plan to get it transacted to fiat or be able to utilise the money without being caught should someone still be watching.
Too many 'eyes' that would pay the 1 million (or whatever it was) for approx 9 million identities, 1 million for approx 30-35% of Australian information (Give or take) is a steal especially considering what they can do with that information. The addresses of past customers may not be up-to-date but it's more or less a hit then miss and there are always other ways to find out your current address (eg. Call you from [Insert legit company], state they're updating their information and would like to confirm your current address)
I have no doubt that 'optusdata' inbox lit up when worldwide media covered the story and more specifically his post…. The news essentially advertised his 'For sale' listing for free in the most efficient way possible, which was subsequently shared across all forms of social media… optusdata essentially put a 'For Sale' up and the media more or less said lets supercharge and expedite the sale of your listing NOW.
99% of the received messages were likely bogus (Trolls etc) but all it takes is 1…
Plenty of time for a transaction to be completed. I have no doubt that optusdata would have had fun trying sifting through the messages to validate the real from the fake but that could easily be done within a few days, and it has been a few days so…..
Had optusdata put their post up and then subsequently changed it to this a few hours later then I could maybe understand that it was a change of heart and/or paranoia but yeah…..
I guess time will tell…. but I personally won't be taking this post at face value…
Personally I'm going to be initiating a credit freeze, getting my VIC licence replaced, hopefully eventually getting my Passport replaced (with new passport number) FOC from Optus and monitoring everything else moving forward. Unfortunately I can't change my phone number (My choice) so I just have to hope that my number isn't going to get spammed with BS
Regarding the VIC Licence replacement, they have changed it to a 'Victorian drivers licence record flag for Optus breach' instead of a Replacement application - Thanks Optus and Vicroads lol
You forgot an option OP - they got a better offer from a better-protected third party hacker.
Optus said 'yes' to the ransom
A team of Optus private investigators found the suspect hacker's home address and knocked on their door to make unofficial bikie threats.
As well as federal authorities harassing their known associates. Encouraging their criminal family and friends to pressure the hacker to back down.
anyone wanna PM me and tell me what the onion url for this forum? I cant find it on the big bad dark web :(
I Probably can’t directly link it without my account getting barred (again), but go to the site “breached DOT to” and go to the Lounge forum
I'm pretty sure that kenny guy is just taking the piss. The news keeps referring to the site being on the dark web, but it's not, it's available on the clear net.
Dark web implies using onion links via the Tor network.
Senior hacker: Hi kid,
Optus hacker: Hi
Senior hacker: 20million dollars + a Russian written English letter to post on forums , final offer.
Optus hacker: “thud”
Another aspect to this is: why only 1.5m in crypto ? ? ?
Something smells very bad …
I dont think Optus would have paid the ransom unless they did a behind the back deal with the government and regulators. Telcos in Oz operate under very stringent regulations and no doubt paying ransoms will be against those regulations. Especially given you dont know what they are going to use the money for. Oz also has very strict regulations on AML/CTF which are quite clear in saying that you cant be involved in transactions inviling the proceeds of crime with consequences leading to penalties and punishment.
But at the end of the day, regulators answer to the govt so if a deal has been brokered behind closed doors, it wouldnt surprise me if it has been paid despite these laws…
Gilbert and Tobin have an article that makes it less clear cut than you have laid out:
https://www.gtlaw.com.au/knowledge/ransomware-pay-or-not-pay
It's owned by Singtel. I'm sure they can find a way to get one of the overseas entities on an offshore island not under the jurisdiction of Aus laws to make a payment. It's a million bucks - small sardines to these companies to attempt to hopefully get the "hacker" to not leak anymore information. I also have a feeling they managed to obtain some collateral on the hacker / got their information and came to some mutual deal which avoided escalation.
When I ask for my late payment fee to be waived Optus says no. But when a criminal asks for 1m and not even a customer Optus says yes.
The audacity! Lol
It is largely irrelevant what the hacker says and this doesn't change anything for anyone involved:
If your data was involved in the breach, you should still be following through with changing details where possible and taking precautions to prevent identity theft.
They emailed me to tell me my data was leaked.
Over 5 years ago I realised Optus service was appalling, it caused so much stress and wasted time so I decided to never give them my business again. Still somehow being burnt by them years since being their customer.
I'm a former Optus customer. I got an email saying that my data was leaked as well, including ID numbers. However I didnt get any code for equifax protect? Anyone on the same boat?
Called them and they will give you the code for the subscription, they are not actively emailing the codes.
I was on chat with them for an hour before they gave me a code. cheap bastards.
I don't tend to place much trust in the word of extortionists.
The data has been compromised, and that has been confirmed by both Optus and the hacker/s. If security has been violated then there's no going back on that. Any statements after the injury by anyone are irrelevant to that.
/In my option.
The bad actor/s came in using multiple IP source addresses. They eluded (or better flew under the trigger points) of detection for some time, well long enough to dump the interesting bits of the db. This could be a result of the api service on a test network (which had internet access). This network may have had little/relaxed to no detection polices in place to identify and block suspicious behaviour. This is probably where the 'sophistication' came from. This attack appears orchestrated vs just a hobbyists with a with a few lines of code targeted at some open api.
We still don't know if optusdata is legit, and we don't know if there were others that also achieved a similar feat. optusdata could be one dude with the full dataset, a partial dataset or nothing more than those released samples. There could be others with this data who are currently hush.
The mannerisms optusdata are quite bazzar, it’s difficut to know if they are geninue, or if we’re being played. It really makes no difference, the data has been compromised, assume the worse and assume it’s going to get shared and leaked…eventually.
Multiple ips is not sophisticated. A twelve year old could do this with a bit of googling.
The official word from optus is that it was sophisticated, so you got to put weight behind that. There may be more to this than what a hobbyists/script kiddy could come up with. I don't believe optus are there to mislead and the amount of parties now involved seem to indicate there is more to this.
We are also not privy to what mechanisms optus have in place to detect and block such attacks. This unknown could be what is driving up optus classification to sophisticated. It’s a matter of opinion.
While the technical difficulty appears low, as you said a 12 y/o could pull it off, what more difficult is to avoid detection while pulling that much data. This could have happened over an extended period.
A castle could be well defended but if someone forgot to lock the gate anyone could get through. There is no difficulty in that. Walking off with the Royal jewels and castle valuables without detection is a little more difficult…..that is…unless you have an invisibility cloak…or can fly under the radar.
The official word from optus is that it was sophisticated, so you got to put weight behind that.
That's just PR spin so they don't look like fools to the uneducated. Do you really expect them to say "we really stuffed up, left the door open and someone took advantage of it. A kid could've done it, that's how much we stuffed up. We're real idiots."?
@apsilon: Their cyber security insurance also will (probably) not pay if the data was deemed to be insecure. They will deny plausability so they can claim the dollarydoos to pay everyone out:
https://www.afr.com/chanticleer/optus-smart-to-get-cyber-ins…
was just going to post this link as well
love the last line:
Sources at Optus say the last-minute decision to remove the ‘To negotiate a ransom, press 4’ option on its call system was a masterstroke.
The hacker got AU citizenship and free English lessons in exchange of the data. What a bargain. 🤣😷✌🏿
If they said that, I'd say I'll be good, please don't send me to Australia.
Do people really think that Optus paid the ransom?
I thought that regardless of whether you pay the ransom in these kinds of situations it doesn't guarantee anything, seeing as there's no way of knowing that the data hasn't been copied to a million other places.
Do people really think that Optus paid the ransom?
Yes, and I expected them to as well.
I thought that regardless of whether you pay the ransom in these kinds of situations it doesn't guarantee anything, seeing as there's no way of knowing that the data hasn't been copied to a million other places.
This isn't my understanding. If black hat hackers get a reputation for doing this, nobody would pay the ransoms.
Honestly asking for $1m is not much at all, but do someone under 18 it's heaps.
It was literally probably some teenage kid and optus probably left a port open/folder accessible with wrong permissions on their cpanel/wordpress server lol.
They probably chickened out when this all blew up.
Even if not, $1 million is chumps change for any major company.
asking for $1m is not much at all
Yeah, I think it was a smart choice. As you said, it's chumps change to Optus (they wouldn't even stop to pick it up if they dropped it on the street). Almost guaranteed they'd get paid.
It was literally probably some teenage kid and optus probably left a port open/folder accessible with wrong permissions on their cpanel/wordpress server lol.
After the Optus leak, I may have spent 2 days manually verifying all the public endpoints I'm responsible for are secure, ensuring no configuration drift, etc :)
Also funny how CBA, ING, Woolworths, etc are suddenly reasuring me that my data is safe with them lol.
There are people calling companies asking about it. We've had some where I work.
It was 1mil in USD so more like $1.5 mil
regardless of the reasons. We all should just Boycott Optus.
I did just that, almost two years ago.
I am still paying for it
Same here. Left them over all the evenings of buffering 240p youtube and not getting phone calls in doors.
Still ended up paying lol
There is No way Optus paid.
Gladys berykklian (CEO of Optus) decided to drop the ransom money after thinking of getting caught again.
Third time's the charm with her.
I'm glad Optus paid him. Good move from the hacker demanding such a small amount of money (less than $1 per customer).
Hopefully I wasn't one of the lucky <1% of (former) customers included in the sample leaks.
How do we know this hacker is a "he"?
:"they" identify as a tomato plant
Guy got cold feet due to media attention and didnt want to to get caught. Optus didn't pay a cent.
only script kiddies uses vpn, grown up dont
Why is the huge trove of data even needed in the first place for a $20/month phone plan?
Optus is definitely negligent but may have been used by the media as an easy scapegoat when they were legally obliged to collect those information. The cynic in me thinks big data collected can be sold or used to turn Australia into a police surveillance state.
https://www.sbs.com.au/news/article/why-human-rights-groups-…
Doesn't matter. Irrelevant. Our data is leaked, and that's all that matters.
Asking questions about whether the hacker is a good boy or not, or what he did after stealing the data, is pointless.
Hacker was paid. 1.5 Mil was considered cheap compare to daily leaking of government defense official personal details which Optus would have to deal with and many lawsuits. Putting a stop before government kick Optus out of business
Agreement was to say not paid and say sorry as a press which actually works better than their CEO saying anything useful. Pretend never got paid and data confirms to be deleted was a condition else FBI, Five eyes, Security agents will be after him.
Other hackers on Dark Web probably thought was too cheap for the information. So the hacker was under threat as well. Thought it was too dangerous to be the middleman of everything finally chosen to Rather deal with Optus than other hackers trying to steal info from him and sending threats to him.
This happened after the first leak of 10k accounts because he did not know what he was getting into. Caught too much attention in both Dark Web and real world with authorities.
The final twitter post basically a payment thank you to Optus for paying and saying 'yes' I no longer have the data and won't leak any more after payment, so the dark side won't chase him neither. The agreed terms of Optus paying (not going to send him to authorities but rather identify him as a vulnerability reporter, given funds to identify as exploit as suggested on the Twitter post). He also apologise because he believed he shouldnt have leaked the 10k accounts in the first place which got him into even more trouble to begin with, unknowingly the list contained defense forces and caught five eyes attention
All actions suggest this hacker is inexperienced and an amateur
The 10k accounts floating around is being used by other hackers to send you Sms threats probably not himself. It's already too late
I reckon someone else paid the ransom. And by ransom, I mean they bought them off the hackers to do their own nefarious things
Optus is the big winner, less talk about the issue, 10000 leaks everyday woulda been a PR killer.
Now everyone's data is out there for the ripper price of 1 mil for 8 mil data points of high quality info. Ultimate Ozbargain for overseas crime groups.
Perhaps this isn't the best place to ask but does anyone know where I could find the database?
My parents were previously Optus customers and they are concerned what data has been leaked.
Haveibeenpwned does not let you search by drivers license or residential address and I'd like to verify that these aren't available online.
fellow Ozbargain have made a website to check if you're part of the 10,200: https://www.ozbargain.com.au/comment/12735539/redir
I can send you a link if you don't want to use the website.
Only 10k available so far, so your parents cannot (yet) access the bulk of stolen data.
But some relief can be felt from knowing you're not part of the 10k sample batch. Follow the link provided by the other reply to your comment, the user "mrdng" has made a site which basically is the same as "Haveibeenpwned" but just for the Optus 10k. Even though he's not putting his real name to it, there's no indication he is dodgy, it looks in order.
This whole Optus saga is shambles.. luckily I've never joined.
Lack of information from the CEbozzO … claiming they are the victim … Govt have to request they do the right thing, Optus will burn for this, when they could have done the right thing and got some sympathy from their customers: https://t.co/NiwtiHfEkX
The hacker just realised his details were in the 10200 leaked.
Media/police etc now seem to be focused on the 10,200 records rather than 9.8 mn that got stolen
@cooni: I wonder how many members of the judiciary, government ministers and CEOs of major corps have an Optus phone plan or home internet? Lots, I’d say. And these guys don’t like being messed with. Collectively, they could sink the Titanic and roll more heads than the French Revolution. Paying a ransom at any cost kind of makes sense.