ShopBack Data Breach

13 Nov 2020 (Update)

Several hours ago, we became aware that a party has made available online our customers’ data, which was taken during the unauthorised access to our systems back in September.

We are acutely aware that this may cause you further inconvenience and are deeply sorry for this. As mentioned in our previous communications to customers, your cashback is safe, and your passwords are hashed with a unique and dynamic salt. This data does not contain any credit card details, and ShopBack does not store your 16-digit card number or CVV on any of our systems.

We want to reassure you that we have further enhanced our security measures since September; taking the following steps:

  1. We have verified the removal of unauthorised access and ensured that our systems are now in line with intended configurations.
  2. We have further improved the storage of our unique salted passwords by encrypting using a separately stored 'pepper'.
  3. We have partnered with Crowdstrike, a world-class endpoint security and threat intelligence platform, to monitor for suspicious activity across all our systems.

In the coming days as a precautionary measure, we will be triggering a forced logout and password reset of customers’ ShopBack accounts.

We have also rolled out a self deletion feature on our site to give our customers the ability to delete their accounts quickly and easily themselves without the need to contact ShopBack. See this how to link to self delete your account. We can also continue to assist customers with deleting an account if this is their preference.

Meanwhile, our investigation is still ongoing and we continue to cooperate with the Office of the Australian Information Commissioner.

We thank you for your continued support and we will continue to release further updates. Please reach out to [email protected] if we can help out at all.


26 Sep 2020

Hi guys,

We know the trust you place in us to safeguard your personal information which is why we’re proactively writing this up. A few days ago, we became aware of an incident involving unauthorised access to our systems which contained our customers’ personal data. We are currently confirming which data has been compromised.

As soon as we became aware of the issue, the unauthorised access was removed. We immediately initiated an investigation and engaged leading cyber security specialists to assess the extent of the incident and to further enhance our security measures. We are also collaborating with relevant authorities.

To date, we have no reason to believe that any of your personal data has been misused, however the possibility still exists. What we can assure you of is that your cashback is safe, we do not collect credit card details, and your ShopBack account password is protected by encryption.

You may continue to access your ShopBack account and use our services as business operations have not been affected by the incident.

We understand that this incident might raise some questions for you, and in this regard, we have established a dedicated email address, [email protected], if you would like to contact us. Please also refer to the customer FAQ on our website which has further details.

While your password is encrypted, you may wish to change your ShopBack account password, and we suggest that you do not use the same password on other digital platforms.

We recognise that this is unsettling news and we are deeply sorry for any inconvenience this might cause you. The security and privacy of our customers is of utmost importance to us, and we commit to taking all the steps we can to minimize the risk of a similar incident occurring again in the future.

Thank you
Team ShopBack


FAQs In This Post

How do I close my account?
See this 'How To' link.

How long will it take to close/delete/deactivate? Can I recover my account?
It will take us up to 48 hours to close/deactivate/delete your account after receiving your request. We will not be able to reinstate/restore or retrieve any information (this includes cashbacks associated with the account).

Can I still get my cashback after closing my account? What about pending cashbacks?
In order to ensure that you receive your cashback, you will need to request for a cashout and confirm that you have received it before submitting a request to close/delete/deactivate your account. Cashbacks that have not been confirmed will not be able to be processed. You will not be able to cashout pending cashbacks after they become confirmed as we will not be able to track and link them to you once we have deleted all your information.

I'm not receiving the password reset emails
Our systems are processing the requests and the emails will get to users soon (update: email services have been restored and functioning normally). Alternatively, you can also reset your password by clicking on "Update Password" under https://app.shopback.com/account.

Related Stores

ShopBack AU
ShopBack AU
Third-Party

Comments

      • +2

        Telstra. Their fraud team just called me back after I opened a case with them and they're going to filter my number for the next few weeks.

    • Similar thing happened to me, someone left me a message saying they were returning my call even though I hadn’t rang anyone other than people I know

      • +1

        Yeah, I had a couple of messages like that yesterday. The people leaving the message sounded genuinely confused about WTF was happening, so it sounds like my number was being spoofed rather than it being a fishing expedition - to what end I don't know.

  • I've just emailed them to close my account.

    Hope it works.

  • +1

    old info:

    I am no longer interested. How do I deactivate my ShopBack account?
    Oh no! We are sorry to see you go.

    Please be advised that once the account has been deactivated, you will no longer be able to use the same email address to create any new accounts under ShopBack.

    If you would still like to proceed, do reach out to our friendly live chat agents here and we will help. We are available from Mon to Fri, 11.30AM - 10PM AEDT, excluding Public Holidays.

    new info:

    We are sorry to see you go.

    Please be advised that once the account has been deactivated, we will not be able to reinstate/restore or retrieve any information associated with the account. Do note all the Cashback in your account will be forfeited after the deactivation.

    If you wish to withdraw your Cashback prior to getting your account deactivated, you will need to request a Cashback withdrawal provided that your available balance meets the minimum threshold for withdrawal which is $10.

    Take note, only available/confirmed Cashback can be withdrawn. The cashback that has not been confirmed cannot be withdrawn and does not count into the balance available for withdrawal.

    Please ensure that your withdrawal is completed and your money is in your bank account before you proceed to deactivate your account.

    If you would still like to proceed, please email [email protected] using your ShopBack registered email.

    We will deactivate your account within 48 hours.

    Note: If you have a mobile number attached to your account, you will receive an SMS from ShopBack. Don't worry, you don't need to reply, this is triggered by our security process as an account is being deleted.

    does this mean they now remove your info completely? can you answer this question rep @gotypurback pls?

  • +2

    Received numerous spam calls since the breach. One from 0488 851 102 just today.

  • +9
    Merged from Unethical ShopBack and Should They Be Banned for The Hack? Creeping on Customers via Linkedin?

    So we all know about that time Shopback got hacked and allowed someone to access their customer database and potentially sell and/or give away all customer details on the darkweb or anywhere else.

    They proceed to try and downplay the situation, send one email to customers and never any followups from then onwards. They pretended that they didn't know of any customer data being used by malicious parties. But then there were lots of reports in the shopback hack thread that people were getting spam emails and calls, as if their stolen shopback personal data was being used. Shopback ignored all this and didn't tell customers anything further.

    Ignoring customers: https://www.ozbargain.com.au/node/568593?page=9#comment

    They then went on with business as usual. They mostly ignore a lot of people on ozbargain but they do reply to a few Google reviews (they currently have 1.3/5 on Google) using poor grammar and saying nothing more than "soz": "we're truely sorry for any inconvenience caused - please reach out to us at [email protected] if we can be of any assistance.".

    Now they go back in to promotion mode as if nothing has happened. You can see in this thread that they actively reply to comments asking about shopback promotions but ignore comments about the hack:

    https://www.ozbargain.com.au/node/574576

    Now it has come out in this thread that they are creeping on customers via linkedin if you leave them a bad review. I asked if they creep on customers via linkedin during office hours or do they do it secretly at night time in own time but I have not got an answer.

    As such, should they be banned for their behaviour for 3 months as a warning? I don't think they have learned their lesson. They compromised all customer data and proceeded to downplay it, never send any follow up email about the situation or alert customers about claims that data is actively being used by malicious parties and then ignore all customers on ozbargain.

    • +7

      Should they be banned? Yes
      Will they be banned? Probably not because of blind up-voting from people on here

      • +3

        Bloody oath they should be banned

    • +1

      Apart from announcing they got hacked, and apologising, what are you expecting the company to do?

      Companies all around the world are hacked, Sony, cannon, Garmin,linkedin..all much bigger than these guys it/security budgets I'm sure.

      • +7

        Using some accountability and letting customers know their data has been used maliciously would be a good first step.

        Also "The security and privacy of our customers is of utmost importance to us, and we commit to taking all the steps we can to minimize the risk of a similar incident occurring again in the future."

        What steps? What has been put in place to ensure this doesn't happen again?

        • +1

          Exactly how would a company prove its leaked data was being used by hackers, as opposed to being from some other source?

          Hackers don't publicly announced what data they are using

          • +1

            @SBOB: Did you forget that they have top security experts…

            • -1

              @Sammy Boi: As opposed to LinkedIn, Twitter, canon, Garmin.. (I'll leave out Sony as they definitely didn't)

              Having good it security experts doesn't mean you can't get hacked.

              It just makes the barrier to entry higher, or the changes of mistakes getting through lesser.

          • +4

            @SBOB: From a company who has such a big presence on Ozbargain I would 100% suspect better. They are happily posting away deals, happy to move on and pretend this never happened.

            What have they done to show that we should trust out data with them again aside from a vague 'we will consult' message?

  • -3

    If I was a business I would check to see who left bad reviews so I could block them from further business (like Ebay feedback)

  • +1

    Have also received spam calls from the ATO/Services Australia etc all automated.

    Hoping we can move on from these SMS verifications…
    Would also prefer a username and the email to not be the login username.

  • +5

    OP you need to update us instead of posting deals

  • Yeah let us know how the hacker got into, like what was the hole, what method they have used, etc

    • what company is going to announce that kind of info after a data breach?
      (let alone if that level of info can be determined post analysis)

      its an unrealistic request when you look at data breaches across other companies and what the following notification/responses were

  • +6

    So apparently someone used my phone number to book a car hire in another state, under a different name. Had some voice mail messages from the admin there giving me updates on the cars availability.

    Not sure why someone would do this but I'm 95% sure it was from this hack, as the number is a disposable $2 SIM I strictly only use for unimportant signups with mandatory phone verification. Feel for those who gave their main number.

    • or…or…
      someone just transcribed or mis-typed their number by one digit that aligned with yours

      Whats the point of using someone elses mobile.. you still have to pay when you hire a car :/

      • +1

        Yes, I thought that might have been the case as well but..

        1. The timing with this hack is a little too coincidental
        2. I've also had the same ATO "arrest warrant" scam call on another family members number, around the same time others reported here
        3. This number isn't used for much else, though that doesn't disprove a mis-type explanation but it does narrow it down to this leak if it isn't

        .. all leads me to not give them the benefit of the doubt. Regardless it doesn't hurt to report in this thread in case it happens to anyone else.

  • +5

    I had my Airbnb account hacked, same email and password as ShopBack.
    They made a booking for an Airbnb in Sri Lanka 😅
    On top of this, quite a lot of spam emails, including one that included my password in the header and tried to extort me for money by saying they had video of me jerking it to porn

  • +1

    I received a Wish.com "please confirm your new email address for wish" to my Shopback email address today. I have never registered on that site before. Anyone else get this ?

  • Just a call saying that my number had called them. 99.9% sure it was from this breach. FFS…

    • -1

      Why would a spammer spoofing a number need to use a data breach to come up with a fake number to spoof?

      They would just be using some random/semi random number generation for the mobile number they spoof, just happens to be that it aligned with yours.

  • around since the time of the data breach, ive been recieving a few "claim your free bitcoin" type emails, but I could have been receiveing them before the breach

    however ive recieved a few sms from a car dealer that I bought a car from years ago, 2 real estate agencies i rented through years ago
    ive had no contact with them for years or since the transactions.

    related?????

  • +4

    Has anyone else been sent a request to review ShopBack on Trustpilot?

    I got sent an invite on the 28/10/2020; it seems they're attempting to rebuild their brand image with five-star reviews.

    Seems they made a mistake sending it to me.

  • +1

    I wasn't aware of this data breach until I read it here today. I have a shopback account but was never notified by them about this breach, pretty poor practice.

  • +1

    I just read about the breach now. I was wondering why Google flagged a bunch of my less important accounts as compromised and the increased amount of spam, I couldn't figure out what the source was. Would have been nice to have been notified…

  • +1

    Wow, that latest update is scary and I'm definitely closing my account now - regardless of what promotions you'll be running in the coming days, weeks and months!

  • +16

    For anyone interested - here’s a link, someone’s selling all the data from the ShopBack data breach. S*** just potentially got real.

    Edit:

    Sample of stolen data

    Worse than we all thought, and didn’t even get notified to this sneaky November 13th ‘edit’ to the post without the above commenters notification…

    • +2

      Name, email and hashed pass(if I'm reading that right)?
      In the scheme of data breaches, doesn't seem like a big deal.

      Most would have those details already leaked. If your emails in haveibeenpwned then it's nothing additional than would already be out there.

    • -3

      looking for accounts to buy?

  • +4

    Suppose you're going to continue to ignore EVERY enquiry/question in regards to this, whilst continuing to reply to everything else

  • I understand that my data is not private and my expectation is that if it's online then its probably going to be taken at some stage.
    I can put up with spam emails and spam phone calls, however, i got a call on friday from an elderly gentlemen who called me frantically that my number had just called him, asking for money from the ATO.

    Im not cool with my number being used to spam other people… Other then cancelling my number, what can i do here?

  • +2

    Was this emailed to all customers? or just two sneaky updates to Ozbargain at 10pm on a Monday night/After work on a Friday night…

  • +4

    Honestly while this is a concern and all, what will deleting my account do now other than allow Shopback to keep cashback that is owed to me?
    Feels like locking the gate after the horse has bolted.

    I've had a significant amount more spam calls in the past few weeks, likely to have come from this.

    • +5

      Updating because I see this under a lot of the 5 star reviews (which have come out of nowhere suddenly) on Productreview

      Review collected in partnership with Shopback
      The reviewer stated that an incentive was offered for this review

      Rep, are you trying to pay people off to hide the negative press?

      On Trustpilot positive reviews have skyrocketed all of a sudden and most of these accounts this is their first review.
      If you spent as much time replying to customers and fixing your security issues as you did covering them up and paying them out maybe the situation would not have escalated so much.

    • Honestly while this is a concern and all, what will deleting my account do now other than allow Shopback to keep cashback that is owed to me?

      It will make sure that it doesn't happen again since you won't have an account you have no control over and can be breached again as Shopback isn't addressing this breach, let alone advising what they will do to stop it from happening in the future.

      • If my personal data was that easily changed it wouldn't be a concern. However, chances are it's already out there.
        Not sure if I can even trust that my information will be entirely erased when I delete/"deactivate" my account.

        • Note 'future'.

          You can't do anything about the past, but you can about the present and future.

          Shopback only advised of the breach and while I don't expect them to tell me step by step how it occurred, nor am I interested, as it doesn't change what happened, I do want to know what they did to make it secure, yet they are still keeping us in the dark. Many sites have been breached in the past, yet it's about what they did to make sure it doesn't happen again, that will make it whether I trust them again or not. The card you have given to shopback can be replaced, but if nothing has been done, then no point in giving them a new card to withdraw money when it can happen again.

          Just imagine what can happen when Australia introduces full face recognition system, where you deal with government and other companies. Where not just your details, but your face as well goes to the dark web. What are you going to do them. While secure systems are good, they are not foolproof. You only need one hack and you can imagine the nightmare.

  • +2

    I am not sure if this is related but in the past week, I have had unauthorised log ins to my Evernote and Spotify using my same email address as the one I use for shopback. Has anyone else experienced this?

    • +1

      Exactly the same for me re: Spotify
      The only other application I had that used the same email and password as Shopback - can really be no doubt about it!

      • +2

        I had that used the same email and password as Shopback

        well, if you want to make life easy for hackers :/

        • I know!
          I didn't even realise I had a Spotify account in the first place 😂

    • EverNote here. Was the login from Vietnam?

      • Yes, Evernote log in from Vietnam. Spotify log in from US.

  • +7

    Just as an update.

    22 million lines of Shopback data have been released.

    13.5 million contained password hashes.

    6 million of these password hashes have now been cracked.

      • +1

        Also a couple of versions in circulation.
        One contains
        Emails, IP's, Hashes and bank phone full name

    • +3

      6 million of these password hashes have now been cracked

      and this continues the lesson about why you should not use the same password between any sites…
      regardless of what site gets hacked, its just a matter of time until some data breach leaks that info.

    • Dupe account? Account created on 17/11 just to post this, with location "Hello".
      And now mysteriously disappeared with last seen date on 18/11. Very sus.

      Not saying you are the hacker, but where's the source of this info?

      • The fact that they deleted it all off quickly afterwards as well doesn't sit well with me.

        • +1

          yeah… they replied almost immediately after each other and deleted their comments. The dealhunter user also posted a link to the hackers thread (which was posted by the hacker a day earlier to dealhunter's comment)

          • @skido: Deleted my comments because I have no control over who reads them, that’s all. No association…

  • +3

    The only other website where I used the same password as ShopBack just got logged into….

    Website was EverNote

  • +2

    Just received spam / phishing sms’s to my mobile……………..

  • +2

    Latest update is quite scary. Account deleted, bye Felicia (even though the damage is already done).

  • +2

    My hacked email has had attempted logins to my Apple ID, Facebook, Spotify and god knows what else. Receiving multiple calls every day from 03 numbers. Multiple scam emails straight to my inbox.
    I have 5 emails so I don’t remember the password used for ShopBack before they forced me to reset it. That helps.

    Nothing we can do about it other than change our numbers and emails as everything is on the Deep Dark Web

    Can they find out which websites we visit based on the IP info they obtain?

    • +1

      I've also had appleID and spotify logins from overseas that I can only logically conclude are linked to this breach. What a nightmare!

  • +1

    Just got a warning about this breach from LastPass. Better late than never. I can't find any notification email from shopback. Did I miss it?

  • +1

    Don't really care about how Shopback tries to up their security not gonna use them anymore. They cannot be trusted its not the first and its not the last time

    I requested my account to be deleted

  • -3

    You don't invite pests into your house and then complain about the rabid breeding.

    You want equality and now they've taken your identity and your life savings next. You can't complain to anyone but yourself.

  • "Several hours ago, we became aware that a party has made available online our customers’ data, which was taken during the unauthorised access to our systems back in September."

    HAHA! I was right shopback; you silly, disrespectful, customer-ignoring company.

    Very shameful of you.

  • Merged from ShopBack Data Breach 2020, for Last Few Months Constant Attempts to Hack Email

    My email account is being hammered, every night there is attempts from all round the world to try and get access.
    I obviously changed all passwords associated with my email address after the hack, I have a good strong password and 2FA, so hopefully they cant get through, but disconcerting seeing the constant efforts of these scammers.
    I believe this goes back to the ShopBack Data Breach last year.
    Anyone else noticing the same attempts on their email since the breach?
    I'm even considering changing the email address and starting fresh.

    • +4

      Was it a unique email address or one you use everywhere?

      How could you assume that it's due to the shopback breach as opposed to any other data breach or newsletter you happened to subscribe to?

      • +5

        Good one Shop Back Online Backend (SBOB) ;)

        • Yeah, you got me :)

          Just seems unlikely it would be based on shopback of all the possible sources of places people use their email addresses

          (Shopback user here, no sign of any hack alerts from Google login attempts)

          Having 2fa enabled makes it very unlikely the end user would be hacked, unless it was a specifically targetted attack

    • +2

      Currently, the MO of the hackers are using IMAP (that is, they use desktop email to sync with your for example, Outlook / Gmail).

      IMAP bypasses 2 factor authentication.

      If your email software is Outlook, my strong suggestion is to change your password AND use "Alias" method. Without trying to alert potential hackers here, doing this has COMPLETELY stopped the attacks on my Outlook. Be warned, going this way has its drawback but it's tolerable.

      • yes it is Outlook
        and yes it is mostly IMAP but have also seen POP3, so far all I've seen is unsuccessful sync, but generally about 12 attempts daily, and interestingly its 3 or 4 at exactly same time but diff countries.
        I changed password to 'hopefully' a very secure password after the Shopback Data Breach

      • burningrage, Ive enabled an alias, lets see what happens
        Thankyou 👍

    • +5

      But they gave everyone a $3 voucher. You’re supposed to be happy now.

    • +2

      i used a unique sub-domain for my shopback address and periodically i see dns lookups for:

      imap.my.unique.domain.com
      mail.
      mail1.
      mail2.
      pop.
      pop3.
      smtp.
      webmail.
      mx0.
      mx1.
      secureimap.
      incoming.
      auth.

      and of course MX lookups for my.unique.domain.com

      so someone is very interested in discovering those mail services.

      i've since changed my email & password with shopback and removed the sub-domain and the breach is no longer an issue.

      even though the email address is not listed on haveibeenpwned it is clear someone has the details and is trying to make use of the information

      • where do u get this info? I want to look up mine to see if I get the samething or not…

  • I have been getting several unsolicited calls from 03 7037 63XX in recent days. Shows up as coming from Melbourne, but are clearly scammers from the subcontinent. Wondering if anyone else stung by the Shopback breach has been receiving these?

    • +1

      My wife and I have been getting calls from 'Services Australia' about a tax debt which they have issued a warrant for. We both have SB accounts.

      • What did you say to them?

    • Same here, Drewbo.
      Definitely from the subcontinent. The accent is a dead giveaway. They pretend to be calling from Services Australia claiming I have an unpaid tax debt.

  • Anyway had attempted fraudulent transactions on a card linked to their Shopback account? I just had one in the US. Could have been from anywhere I know and not blaming Shopback. Curious if others have had issues.

    • +1

      doesn't shopback only link to an account bsb & number? how does a card come into this? sounds unrelated to me

      • +1

        Dunno really but just deleted the problem card that was on my Shopback App. The one it used for buying gift cards.

        • +1

          oh, they maybe it is related

  • Is anyone still using this or nah?

  • SO….is there any more updates? Coz….imma still waiting for this to be answered…..

  • Just got my first you should give me $1500 worth of bitcoin because I know what your email address is type email. They claimed to have hacked both my microphone and webcam. Looking at my daily uploads <0.27GB must be some pretty low quality video.

    Just pondering if I should change the important stuff over to a new email address.
    I have bad memories of how many emails I used to get from Onliner Spambot + a few other things that thought I needed to know about their crappy products and or the latest threat of the week.

    Anyone know of any settings or add-ons that I can use in Mozilla's Thunderbird? If you thinking making a new email address isn't required. :)

  • +1

    I have just started getting phishing emails from "Apple" sent to my unique Shopback email address. So the breach data is definitely out there now.

  • +6

    Have I Been Pwned has just confirmed I was an impacted user in the data breach. FYI anyone who was wondering, you can now confirm if you were impacted.

    From email:

    Compromised data:

    Email addresses, Geographic locations, Names, Passwords, Phone numbers

    In September 2020, the cashback reward program ShopBack suffered a data breach. The incident exposed over 20 million unique email addresses along with names, phone numbers, country of residence and passwords stored as salted SHA-1 hashes. The data was provided to HIBP by dehashed.com.

  • +4
    Merged from It's Official: I Have Been Pwned in The ShopBack Data Breach

    Just received an email from HIBP saying that my email has been detected in the ShopBack breach. Check if yours has been leaked at https://haveibeenpwned.com

    Change your passwords if you haven’t already.

    New breach: ShopBack had 20M email addresses breached in September. Data included names, phone numbers, country of residence and salted SHA-1 password hashes. 60% were already in @haveibeenpwned. Read more: https://support.shopback.com.au/hc/en-us/articles/3600541412…

    https://twitter.com/haveibeenpwned/status/138619433827994419…

    • +1

      Same

    • +5

      Yep got the same email

      "In September 2020, the cashback reward program ShopBack suffered a data breach. The incident exposed over 20 million unique email addresses along with names, phone numbers, country of residence and passwords stored as salted SHA-1 hashes"

      Shopback disclosed the breach last year but it appears it's been leaked now. If anyone has reused a password from that site anywhere else, then it's time to change it.

    • Still would love to hear how that "report" went to OAIC.

    • +5

      Pain in the ass

    • +6

      Used to never get any scam calls but since this breach it's at least a few times a week now and has increased a lot in past month

      • Does Shopback even have your phone number? Why?

        • +1

          To send 2FA texts

Login or Join to leave a comment