Two Security Breach notifications in the last 24 hours - Related to Shopback Data Breach Incident?

burningrage on 20/11/2020 - 09:11

Hi all,

Yesterday morning, I received an email from Outlook (or Microsoft rather) saying an unusual login was detected.

Looking at login history, a login was made from Korea and from what I can see, it looks like the person is trying to sync my outlook to an IMAP account (which suggests a desktop mail client). Before I hit that "It wasn't me" button, the email said Microsoft has blocked access to Email, Contract, and Calendar and at that time, the alias did show my email address.

After I hit that "It wasn't me button", the status changed into Successful Sync but the alias becomes nil. I cannot determine if this actually means the sync my inbox to the criminal's IMAP account was truly successful or it was successful but to nil (because the alias was nil). I feel this is just the way Microsoft is telling me the breach was stopped but I am not 100% sure.

Fast forward to this morning, I received an email from ebay saying they detected a suspicious activity and decided to reset my password and security questions.

Upon recovering my login, I checked the login history but it only showed my current session with no other recent logins.

In both incidences, I changed my passwords.

I know there has been a Shopback data breach. One of the common denominators between these two security incidences I've got is that they both have the same contact email address. This email address is used as a correspondence with Shopback too.

Lately, I have been seeing posts in Ozbs about the aftermath of this security breach. The recent one being 9 days ago.

It may or may not relate to Shopback but I would be on high alert for the next few weeks to see if there is another incident but looks like it's much closer to home than I thought.

I hope it doesn't happen to any of you guys.

Cheers

Zz

General Discussion

Related Stores

ShopBack AU
ShopBack AU
Third-Party

Comments

  • whooah1979 on 20/11/2020 - 09:20
    +1

    Don't the same email for all your internet activity.

    • burningrage on 20/11/2020 - 09:25

      I split it. That's why I can see the same common denominator being this email. Rather that's why I can deduce this might be related to Shopback as I used this email address as correspondence with Shopback.

      On other sites where I don't use this email address, so far no hack attempts.

    • c64 on 20/11/2020 - 12:21

      or same password (which it sounds like the OP did)

  • skid on 20/11/2020 - 09:20

    What time did these incidents happen?

    • burningrage on 20/11/2020 - 09:25

      Ebay - about 8.19am 20/11/2020
      Outlook - about 8.50am 19/11/2020

      So all around 8ams.

  • bdl on 20/11/2020 - 09:34
    +2

    Welcome to the Internet.

    Make sure 2FA is enabled whenever possible.

  • dust on 20/11/2020 - 10:04
    +1

    2FA and different passwords are critical.

  • [Deactivated] on 20/11/2020 - 11:05
    +2

    Korea

    Kim jong un going after your cashreward points

  • poohduck on 20/11/2020 - 11:42

    It is troubling that your history is no longer available - it kind of looks like a cover up by ms to me. Generally they want sole access to your data along with you - any news of security breaches would effect their huge business with corporations. It is a choice to remove or delete history.

    • resisting the urge on 20/11/2020 - 13:35
      +1

      Normal procedure in Azure. It may not be policy, but might as well be. The RPs respond really quickly to cover things up and everyone else help to 'contain the incident' by calling it impact mitigation. Their KPIs compel them. The company has left the doors open all its life, with software they bought or wrote they never once decided to get ahead of the users on security, and for decades spread security by obscurity as the primary control. Now they have all your data in the cloud and it is only their hands on the locks. And rather than checking the locks work properly before (let alone after) an incident, they just obscure that activity that occurred. It's a matter of, 'move along, nothing to see here'.

      PS. The IMAP login is more likely the attacker's script collecting the contents of your account, not a client

      The solution here is to realise that breaches are catastrophic and make you a permanent, ongoing target. The more they collect, the more you will be targeted in future. Take this as an early warning, protect everything, get out of the cloud, reduce your footprint, delete as much as you can, close as many accounts as you can, and lay low for as long as you can bear. The detox will be very beneficial, esp if you spend the time away from screens for a bit ;-)

      • burningrage on 20/11/2020 - 23:55

        That's why I am on high alert.

        It is perhaps fortunate I designate certain businesses into certain email as a natural containment effort should this sort of thing happens.

      • poohduck on 21/11/2020 - 11:06

        Oh, I'm already there. I use opensource for phone and laptop. Rarely connected to data on the phone. Use duckduckgo instead of g00gle. I don't use cloud for anything. Use offline email. I spread copious amounts of misinformation re my details in accounts, fb etc. Our router is on a timer (turns off at 11, on at 6) and has a whitelist for access. I'm like an animal running from cover to cover 😁. Nice to see that someone else hasn't sold their soul just so they can tell their lights to turn on and off.

  • pharkurnell on 20/11/2020 - 12:20
    +1

    The more we all rely on life on the interwebs for everything this will be the normal.

    • poohduck on 21/11/2020 - 11:09

      Yes, we're a flock of sheep to be shorn and some times led to slaughter. Give us a few little toys and we won't complain - we'll even pay for the privilege (g00gle home etc)

  • singingwolf on 20/11/2020 - 13:21
    +1

    Did you consider the emails warning you were the actual scams?

    • burningrage on 20/11/2020 - 23:59

      I did. That is why I went to each individual sites by their actual URL and saw them myself.

      Of course I didn't click into any of the email links.

      The only weird thing is Ebay didn't have any record of breaches other than my current session at that time BUT I did get an ebay notification of a breach nevertheless (and it's bonafide). Anyway, the email was real when it said my login password has been disabled so I have to manually go and "forget password" myself and 2FA activates.

      Maybe a ploy to get everyone into 2FA who knows.

      Shopback did something similar too lately. Sent an email my email has been disabled and I have to register 2FA and set up a new password.

      • singingwolf on 21/11/2020 - 08:05

        Yeah just saw a massive data dump of thousands of sites had been released. I would saw that was the source. Go to haveibeenpwned.com to check

  • Davo1111 on 20/11/2020 - 13:23

    One of the common denominators between these two security incidences I've got is that they both have the same contact email address. This email address is used as a correspondence with Shopback too.

    Is this your common email address?

    Feel free to jump on the hate-train but lets be realistic here

    • burningrage on 21/11/2020 - 00:02

      It is.

      I designate certain businesses into certain email. For example, banking and finance - one specific email. Social Media and others - another specific email.

      So when I got the emails about breaches, they are consistent to the businesses that use this email.

      In other words, I know this won't affect my other sites like say, Social Media subs as I would be using a different email address.

  • MeesusEff on 20/11/2020 - 13:41
    +1

    My PayPal got hacked last weekend as well, person in SA bought himself a pair of Air Jordan's and delivered it to a business address (managed to get in the order confirmation page). And yes common email and same password, set up over a decade ago. Have turned on 2FA for all emails and PayPal

    • skid on 20/11/2020 - 13:46

      Same password as shopback? Was the password strong or weak? Does this mean the shopback leak has our passwords?

      • MeesusEff on 20/11/2020 - 14:04
        +1

        Yeah same password. I would say medium strength, one cap letter and numbers. I use a different password for all the other important stuff but forgot about PayPal as its auto login.

        I have been getting that "your password has been compromised" Chrome popup ever since the ShopBack incident though. Also a sh*tton of spam emails for the past few weeks.

        Before the incident, I looked at my outlook sign in history and there were loads of unsuccessful IMAP or whatever type of logins, then I changed to 2FA and it dropped off a bit. I just checked the history again and since October there has been 3 attempts from Bulgaria and Turkey but theyve actually tried with an incorrect password instead of the usual error I saw before. I would say there has been a password breach at SB..

      • burningrage on 21/11/2020 - 00:04
        +2

        @ MeesusEff, me too. Same password as Shopback.

        That's why the title of this thread is "Related to Shopback Data Breach Incident?".

        EDIT: So it looks like this is becoming more than a smoking gun.

      • MeesusEff on 22/11/2020 - 03:56
        +1

        Aaand I just got an email that someone successfully logged into my Agoda account today from the US. Lol, same password but no caps. Looked in Agoda and no way to delete account but luckily I haven't used it for a long time and have no payment stored. But my mobile number was there so hopefully they don't do anything with it (guess it's on SB as well though)

        • c64 on 22/11/2020 - 09:17

          well, i hope you've learnt your lesson: don't reuse passwords

        • burningrage on 22/11/2020 - 11:50

          Sorry to hear this.

          I have to say all has been peaceful with my password for ages until SB incident happens and this is now turning up.

  • burningrage on 21/11/2020 - 00:25

    Just now, I checked my account activity history within Outlook.

    Some weird logins and one definitely unauthorized attempt happened. One from Netherlands - unsuccessful and a few from Australia but that may be explained if my phone is syncing but not sure (like same IP address - same exact time: One successful login, one failed).

    Anyway, high alert.

  • jamestownfx on 23/11/2020 - 16:59

    Did anyone else get a call from Nissan saying they enquired?

    On a number only used for ShopBack 🤔

  • neonlight on 27/11/2020 - 12:16

    I just went and request deletion of my account after getting the money withdrawn

    Not gonna use them ever again

  • pennypincher98 on 28/11/2020 - 08:23

    Also got one for Microsoft this morning… Luckily it's not my outlook (it's a Gmail account basically used for promos/newsletter sign ups etc) but I didn't even know I had a Live account until this morning. Changed password and enabled 2FA. Just now gotta think where else I've used that pw. Have reused passwords a bit on this account because there's little info to compromise.

    Edit: eBay as well damn.
    Edit 2: and Catch.
    Edit 3: and Menulog.

    Nice of them to wait until I attempt to log in to say it's been compromised rather than an email.

  • Asadjaral on 13/12/2020 - 08:52

    I had someone trying to accees my Gmail account as I used google account for shopback.
    Then few day later someone tried to log into my Amazon account using my phone number. All started after the shopback data breaches.

  • burningrage on 13/02/2021 - 10:08
    +1

    I know this is reliving old thread but after changing my password back then, it happened again. I got a block notice from Microsoft (Outlook).

    And it's the same MO. The ***kers used IMAP to download/sync emails into their computer, thereby bypassing 2FA.

    Maybe someone here would know but if the status said "Sync Successful" but you get a block notice, I would read it as the hacker managed to get in but unable to download any emails (even though it says Sync Successful) otherwise what's the point of blocking the email address?

    Nevertheless, I decided to check in and turns out there has been numerous attempt to hack my email address since November from around the world (Nigeria, Indonesia, Russia, Thailand, etc). How they managed to get my password is anybody's guess considering it is only recently created/used.

    I also learned Microsoft doesn't allow banning POP/IMAP from their O365 unless you're on business O365. This means Outlook is a pretty vulnerable email client since 2FA can be circumvented this way.

    But someone then suggested creating a new Alias, make that Alias primary, then disable login from the former primary email address. The hacker would need to guess your new alias and if someone worked it out, then it's time to check my PC.

    • lazydaisy on 20/02/2021 - 20:40

      thankyou for the heads up on using an alias

Login or Join to leave a comment
Login Join