Optus - Major Data Breach

Some good resources here.

https://www.cyber.gov.au/acsc/view-all-content/alerts/optus-…

Optus has suffered a massive data breach, compromising the personal information of up to 9 million customers.

About 2.8 million customers have had all their personal details taken in the cyber attack, including their passport and licence numbers, email and home addresses, dates of birth and telephone numbers.

About 7 million had their dates of birth, email addresses and phone numbers stolen.

The breach involves both current and former customers.

This is worrying.

22/9: Optus’s statement.

Mod 26/9: Whirlpool - Check Optus Customer API

Related Stores

Optus
Optus

Comments

      • Did you check your own record on the AP? To confirm if didnt have any license or passport ID?

        • looking at the Whirlpool links and I can't see my ID details stored anywhere on the API, so I'm assuming if your email didn't specifically say they're unaffected then you're stuffed

  • +5

    I would be happy with a rule where, any new account of any type requires you to go to a physical store to verify your identity. The extra time spent is worth it to me, compared to someone trying to open a bank account or do steal my tax return

  • +1

    I chatted with an agent on Optus app to ask what id document was stolen. The agent said they cannot reveal that to me due to privacy reason. Is this everyone else's experience too? Do I need to go to a store? I was with Optus 3-4 years back.

  • For those affected: You can register interest on Slater / Gordon's websites and opt in to receive notifications on whether you can claim compensation. https://www.slatergordon.com.au/class-actions/current-class-…

    Here's the privacy policy for those who are privacy conscious (read it before you fill in the forms)

    Q: What happens after I register my interest?
    Once you’ve registered your interest, we will keep you up to date about new developments in the investigation.

    Q: What is a class action?
    A class action is a type of legal proceeding in which one person, the representative plaintiff, brings a claim on behalf of a wider group of people who have been affected by the same conduct. By grouping claims together and pursuing them collectively, the overall value of the claim makes it economically worthwhile to do so, even if the value of individual claims are modest.

    Q: Will I have to devote my time or resources to the legal proceedings?
    Initially, we will only require you to provide the information requested in the registration of interest process. At a later stage, if the investigation progresses to a claim, we may get in touch with you to request further information.

    Q: Will my personal information be kept private?
    Your personal information will only be used for the purposes of the legal proceedings as required by the court, or otherwise by law. In all other cases, we will seek your consent before disclosing any of your personal information. We will not disclose any personal information to third parties, including other clients.

    • +3

      its asking for mobile and home address…not going to do that just to register interest, and become victim again.

      • Give fake name, Mobile phone can be burner SIM, and your address can just be a PO BOX. Note that they won't be matching your details with what was leaked by Optus, rather they are just providing you generic updates.

        Most Ozbargainers who enter competitions regularly will be already giving out their personal details to marketers already.

    • Don't do it. No one benefits other than the lawyers. Plenty of people here are customers and this sort of legal action would just eventually increase prices for everyone.

      • agreed. look at the robodebt…most people got nothing once the lawyers took their massive cut. Using people's detriment for their gain even if the "intention" was good

      • +2

        Disagree. Class action here we come. I'm a former customer, so if your prices increase… do like the Optus CEO and cry a river.

        • -3

          You do you then. Hope you get a lot out of the $100 that'll be left for you after destroying a major Aussie employer.

          • @Fuzor: No one will loose a job
            Elon musk will buy optus for a few billion

          • +1

            @Fuzor: How many jobs vs how many people's lives could be destroyed? Not even comparable.

          • +1

            @Fuzor: so optus employer > impacting millions of other individual's lives? really?

            the same incompetent ones that signed off an exposed unauthenticated API by highly paid business owners, project managers, architects, security people engineers and audit/compliance teams that didn't pick this one up and said "she'll be right mate, we need this API delivered asap!" ?

            the same one that went 'boohoo' on TV but real quiet on the backend to paying customers?

            we need to spend countless hours and stress dealing with identity theft and fraud because we deserve it?

            just checking to see if i got that right.

            • -1

              @slowmo: Does not mean that you have to sue them. Legal action doesnt benefit anyone other than lawyers.

              And everyone thinks they can communicate or code better until they're faced with doing it themselves.

              No point in crying after the milk is already spilt. You judge a company by how it deals with the situation in the coming months after the leak.

    • +1

      Probably get 10 cents out of it, lawyers will be the ones laughing all the way to the bank… I prefer they get fined by the government or TIO instead.

  • +3

    On abc730 Home Affairs Minister isn’t buying this as a
    sophisticated attack.

    https://twitter.com/abc730/status/1574331416783253506

    • +2

      isn’t buying this as a sophisticated attack.

      It wasn't. Basically not only did they not lock the door, they left it ajar.

    • +2

      it's not.

      and remember optus tried to blame it on the programmer.

      this is incompetence.

  • Previous customer, still no contact from them : D

  • -5

    Beware Dont twitter anything about @kellyrosmarin or @sallyoelerich becasue you will be shot down by Twitter By the way, Shana tova aka Happy Jewish New Year Kelly Rosmarin You certainly ruined my Rosh Hashanah weekend but not yours of course. And @sallyoelerich interview on 2GB.com.au today Positively incompetent and Schamloes aka shameless

    • Which universe are you from?

      • +1

        wrong thread? wrong website?? wrong planet???

  • +2

    The recent data release from the alleged hacker (re "10.000 record from address file") includes details of 55 Medicare cards, 3246 driving licenses, and 261 passports.

    https://twitter.com/Jeremy_Kirk/status/1574493399222083586

    • Sounds like Optus won’t pay up

      • +1

        optus can't secure their sh it properly, i doubt they could even act fast enough in the interest of their own customers.

        they failed their customers before in this breach, and it's consistent with their behaviour to fail their customers again. despite what they claim on the PR spin.

        not saying they should pay the ransom, but they aren't communicating properly for a billion dollar company with dedicated PR departments.

    • +1

      Where is the data posted to? Just wanted to check if I am one of the 10000 unlucky ones :(

    • Wow just woww

  • +4

    Anyone remember?

    https://twitter.com/David_M_Green/status/1217963902056558592

    Hey
    @Optus
    , I just learned you are using an image of my driver’s licence as an example on your website without asking me. Can I have some money please?

    • From reading his comments, the scumbags didn't even pay him.

      • I mean he already uploaded the photo to his public blog, not like the information wasn't already out there.

  • Come to think about, unless the leaked data has expiry date of the license, you cant do much with just the number alone

    Anyways, i have changed my address on the license and changed the 2FA mobile numbers on my bank accounts.

    • +5

      Guess what… It has the following:

      "documentNumber":"xxxxxx",
      "documentType":"Driving Licence",
      "jurisdictionType":"QLD",
      "personId":"xxxxxx",
      "issuingJurisdictionName":"QLD",
      "validityEnd":1729605600000,
      "validityStart":0,
      "isPrincipal":"1",
      "isDefault":true,
      "lastUpdateDate":"10-Dec-21 17:21:05"

      all available in JSON format.

      • Ohhh, shit

      • Some the expiry dates are incorrect though

        • What if you renewed your actual license?

          Would the expiry date change?

          • @Weezle: The expiry date they have for me doesn't match any expiry date I've ever had.

            • @prhino: Yes.

            • -1

              @prhino: The date gets encoded for some of DBs. So unless you can map out the date in Day Month Year format (any sequence) and then validate to be false, be assured the encoded date value is correct and as recorded in system.

              • +4

                @PopCounty: It's not encoded, it's just in epoch/unix format. A given ephoch/unix date will covert to the same date in human readable form, however you format it.

                1664243336 = 27/09/2022, 09/27/2022, 27 September 2022, September 27 2022 = all the same date

  • Is Moosemobile affected by the breach?

  • +6

    Optus CEO is either a liar or doesn't understand much about technology…

    "Our data was encrypted and we have multiple layers of protection," Bayer Rosmarin said on ABC Radio. "So it's not the case of having some completely exposed API sitting out there."

    Everything is in plain text. Lol.

    • +1

      She probably thought that the field names (indentType, indentValue) would be too confusing for the hacker :)

    • +3

      you can have multiple layers of protection, but the API fully decrypts that and gives it to you on a platter in plain text.

      this is the worse part….. a lot of software developers don't understand this concept either.

      • To decrypt it needs to be encrypted first… Unfortunately, not much data is encrypted and is stored as plain text in the database.

      • The api doesn't need to return plaintext id information. In fact, the data can just be one-way hashed. There is nowhere in the front end system show ID information. Optus call center doesnt need to know it after the first initial credit check. If they want to re-verify id, one way hash is enough similarly to password.

    • lol can she not say something without getting egg on her face?

    • -3

      lets be real here she probably doesn't even know what IT is..

      Women in CEO these days are a publicity stunt. People should be hired for their skills not just a tick box quota

      I support all kinds of gender. I just don't like it when unskilled people because of a profile is hired to meet some diversity paperwork.

      I have worked in big tech firms and u see it all the time. People being hired into positions out of their place

      • Mate no CEO, man or woman, knows shit about IT. Of all the people in a company they’re usually the worst.

        • -1

          how about the ceo of atlassian? or google or fb?

          Im just saying putting people into roles to fill quota is the worst.

          The optus crying oh we got hacked… Cry me a daymn river if u want… u left the door open. Have we heard anything from the ceo last few days

          • @George Washington: Im part of the breach aka my details have been leaked being a former customer 3 freaken years ago. I rang up optus 4hr wait.. we are unable to verify if your details have been leaked…. so we cant offer you a voucher or reimbursement?

            seriously…

            • @George Washington: Yeah ok sure, if you cherry pick the CEOs of the top global IT firms they probably know a thing or two. The vast majority though are IT illiterate, I know from experience. This has nothing to do with gender quotas.

      • this is a really weird hill to die on mate.

        blame the CEO for building a culture of complacency and rewarding only 'good news'… to the point that people don't bother or don't feel safe for calling out idiotic implementations.

        or are you misunderstanding the purpose of leadership roles?

        • leadership roles are a marketing term.

          No Im not saying gender quota. Im saying hire people fit for purpose.

          My last contracting gig every quarterly presentation. its always about the gender gap and gender quotas… in my head why are we pointing this out.

  • +7

    Hackers can have my details, I have no money and my credit rating is balls, 3 steps ahead mofos.

    • you kid, but even if you are brokeass, people can use your details for a lot of other things that will make you have a bad time dealing with government bodies or any companies needing credit.

      need internet access to browse ozbargain? you need id / 100pts for pre-paid, plus credit checks for post paid.

      sim cards and internet access is extremely low bar, and if you think dealing with telcos are bad, try dealing with utilities companies.

  • +3

    "including their passport and licence numbers, email and home addresses, dates of birth and telephone numbers"

    This is why 2FA via sms is stupid. I had my phone # stolen once, using a subset of this info. Then all my accounts changed pw, using the new phone #.

    Seriously "email and home addresses, dates of birth and telephone numbers" is mostly public knowledge, which loyalty program doesn't have it? Even your local restaurant has this.

    And we can't change these when compromised.

    passport and licence numbers are only secret until companies require us to give it as ID. Then it's as insecure as the rest.

    • people need to understand data can be aggregated.

      remember uber hacked?

      i'm mr wong nummer on uber eats.

      it's got my home delivery address and an unique email.

      but with this optus attack, they can match a higher fidelity profile of me with a real name with the address + mobile , etc.

      it is not 'insecure' as the rest. uber might be complacent, but optus is incompetent.

      • can't get my family to use unique pw, let alone email in signups.
        aah I duno, I use real name in restrnt bookings so it's all out there.

        • Sometimes it takes a real fraud to take place before people starts to wake up. I think that's okay, because it's a choice. Your identity/money, your risk.

          For the majority of others who are unaware and wants to understand how bad it can get, they will want to be start asking questions.

  • +3

    Potentially big news: The "hacker" (I'm using that term loosely) has removed his original post and has put up a new post saying he’s backing off.

    He’s said he’s sorry to the 10,200 people he leaked and he’s deleted the data.

    I suppose this could be the end of it, but I’m way too sceptical. Let’s see.

    • Data is already out there in the wild. BTW, this hacker seems fairly immature

      • +1

        Probably got death threats

        • lol. for asking way too below market for that sort of data.

          undercutting ransom groups.

          • @slowmo: Dont underestimate what crime syndicates would do for that information

            • @easternculture: i think you underestimate that if you are partaking in that sort of activity to only get death threats from crime syndicates.

  • +3

    https://twitter.com/joshgnosis/status/1574554058555215872

    To me it looks like Optus paid the ransom. Thread on the breached forum is gone now.

    • Well, I am thankful, my data was worth more than the 10c portion it cost if Optus paid for the ransom…

    • +1

      Their reputation has been already trashed. Hopefully people do move their businesses elsewhere. Personally I dont care if Optus goes bankrupt/liquidation or whatever. To me it seems like Australian government agencies forced Optus to pay money, or optus put in pressure to pay Ranson by government agencies to prevent any further Australian citizen's data leaking.

      This isn't as simple stuff leaked like SB data breach, but passport, driver's licence number, medicare, and general leak name number email address password etc.

      I still do not believe that whatever credit statement proof one gave to optus has not been leaked. I would definitely be closing the any bank account/cards linked to any Optus transaction. I hope that I would have had used one time disposable cards.

  • Got my email this morning, saying name and email address but no license etc.

  • +1

    Posted by the hacker (Take with a Huge Grain of Salt) from the forums-

    https://forums.whirlpool.net.au/thread/3z4yl2qw?p=188#r3747

    and here-

    https://www.crikey.com.au/2022/09/27/optus-hacker-data-breac…

    Maybe Optus paid the ransom? Or the hacker is lulling everyone into a false sense of security to be less vigilant and will still sell the data privately?

    As for Equifax, they seem to have their own issues-

    https://www.choice.com.au/consumers-and-data/protecting-your…

    • This is so weird… WTF is happening?!

    • here's food for thought: hacker realised the price was too low when he's getting offers from other groups to pay more than $1mil.

      this is very high fidelity data, not some lul haxxors php pwnbase.

  • Can someone pm me the link I have like 20 pre paid Optus services!

    • Link doesn't exist anymore.

      • +3

        The for sale / ransom demand post is gone.
        The actual data is still definitely there (hosted externally to the breached forum).

    • fudge me details are on the list hope I can change my DL number

    • I have like 20 pre paid Optus services!

      your information can only be stolen once

    • did someone pm you the link? link was deleted but then reposted.

  • +1

    Got a new dirvers licence here in SA today - didnt need proof although took it along - used my current foto, same expiry date new number - hard licence in 5 days, new digital licence is i paid the 20 apart from 20 minutes wait, the actual time with a CSO at Service SA was an efficient 5 minutes

    • Yeah I am glad they finally put this measure in place. I went as far as to get an interstate licence. Couldn't have been more safer. I probably wouldn't have gone if it wasnt for this breach, and me having no clue Service SA will replace driver licence no. given their website still says nothing about it, while other eastern states well on top of acknowledging there may have been a ID leak breach due to optus.

      Hey I am surely seeing government holding OPTUS liable for millions of $$ as a cost incurred by government agencies in issuing, posting hundreds of thousands ID's from various different government departments.

  • who has that 10k data? just trying to see if I'm one of the lucky one.. fk optus

    • +1

      I can confirm you where on it ;)

  • +1

    I bet optus paid them off .. what’s a couple of mil compared to the loss in goodwill and also the longer this drags on the more lawsuits and problem they will find themselves with the gov/authority. We end user are f tho.. how would we know the hackers wont resell all our info on the dark web.. seriously this is all just a clusterf.

    • +1

      Will Optus still pay for the subscription to Equifax as was mentioned yesterday.

      • +4

        Just had coffee with optus CEO and they will still pay if you have an ozbargain gold membersip

      • only if you had a chat with Muzeeb

        • I am not trusting mujeeb anymore.

    • +1

      Apparently Optus never communicated once with them. The data is a gold mine and some other "state actor" would easily cough up over 1 mil for it

      • Who knows if money and data have already changed hands…

  • +1

    Chaos has begun

    https://www.news.com.au/technology/online/hacking/pay-us-ter…

    Optus has screwed people for life!!!

    • +1

      Its probably the 10000 that got leaked.
      The file was prpbably downloaded thousands of times and people are taking advantage

      • +1

        Undoubtedly. Probably some high school kids that downloaded the data and want to play silly buggers and mess with people.

        Clearly very sophisticated asking for a direct deposit into their bank account. lol

        Still scary to have all your info out there for anyone to access though…

      • It's the one we know about.

Login or Join to leave a comment