Catch Database Compromised. Important Information about Your Catch Account

franco cozzo on 17/01/2024 - 05:49
Last edited 17/01/2024 - 20:08 by 1 other user

email received late 16.1.2024….looks like catch has been compromised and "suspicious activity on a small proportion of Catch customer accounts" has been detected by their security team. anyone else get this?

"We recently detected some suspicious activity on your Catch customer account.

As a safety measure we recommend you immediately change your password and contact us if you have noticed any unusual activity on your account. To change your password, you will need to go to the sign in/log in screen and select ‘forgot password’. We will then send you a link to do this safely and securely.

What happened?
Our ongoing security monitoring has recently detected suspicious activity on a small proportion of Catch customer accounts. We identified that your login details were used by an unauthorised third-party to access your Catch account, or your account was subject to other potentially unusual activity. As a safety measure, we recommend you immediately change your password to a strong password and contact us on the details below if you have noticed any unusual activity on your account.

We do not believe the login details used were obtained due to a security breach of Catch, and it is likely these details have been compromised from another source.

Impacted customers may have had information available in their My Account tab accessed, which could include their name, email address, phone number, physical address, purchase history, related account information, and if saved in their profile, date of birth, gender and partial credit and debit card information. Catch does not hold full credit or debit card numbers. Where customers have saved credit or debit card details in their Catch account, these numbers are incomplete.

What actions have we taken?
As a safety measure, we have reset your password.

Catch has also activated its incident response process and commenced an investigation. Catch continues to invest in and use cyber-security, payment and fraud detection and monitoring services and we have further enhanced these services to protect all Catch customer accounts.

We have also reported this incident to the Office of the Australian Information Commissioner (the national regulator for privacy)."

Update 10:03am: ….just spoke to them directly via phone support.
partial site breech of user data confirmed…its definitely on their end.

if youre on catch.com.au i'd go check your account and do a password reset just in case its wider than expected

Internet Data Breach

Related Stores

Catch.com.au
Catch.com.au
Marketplace

Comments

  • franco cozzo on 17/01/2024 - 06:00

    changed unique secure password to another unique secure password as requested by the email. no changes to account that i can see. only used paypal so no CC info…. is there anything else to do?

    • jumpypotato53 on 17/01/2024 - 06:08
      +1

      Change your PayPal password, enable MFA there if it's not enabled yet.

      • franco cozzo on 17/01/2024 - 06:16

        why paypal too?

      • avoidfullprice on 17/01/2024 - 07:00
        +2

        I would suggest cancel automatic payment to catch in PayPal and ensble 2FA

        Changing PayPal password doesn’t help in situation imo

        • franco cozzo on 17/01/2024 - 07:17

          good suggestion….removed onepass/wesfarmers plus a bunch of other older online permissions i dont use anymore at the same time

  • geekcohen on 17/01/2024 - 07:42
    +1

    and this is why using Single Sign On is always a good idea. I use it via my Google account which has 2FA enabled.

  • EightImmortals on 17/01/2024 - 08:14
    +4

    Can't wait till this happens with MyGovID!

    • franco cozzo on 17/01/2024 - 08:26

      …indeed.

      digital id and payments are the way of the future baby! its so convenient & what could possibly go wrong??

      • EightImmortals on 17/01/2024 - 13:08
        +1

        Beats me but I'm often waiting in line behind some cool kid trying to get the app on their phone to work so they can pay their bill. Meanwhile my card and cash work pretty much instantly.

    • Clear on 17/01/2024 - 13:37

      Still would be better security than a lot of GPs out there. That's an easy door to yours and everyone else's information in the whole country 😉

      Before reporting breaches to OAIC was law there were so many significant breaches of healthcare information due to lax security and backup procedures.

  • Dollar General on 17/01/2024 - 08:33
    +1

    They should have known after mydeal was hacked they would become a target and beefed up their security

    • franco cozzo on 17/01/2024 - 08:35
      +2

      catch have had similar in the past…this isnt their first. ive found ones from last year
      https://www.ozbargain.com.au/node/775375

      user hawkeye had purchases made on their account
      https://www.ozbargain.com.au/comment/13812375/redir

      even the text from the email i recieved is the same as 2023…..why cant they do better?
      https://www.google.com/search?client=firefox-b-d&q=We+recent….

    • avoidfullprice on 17/01/2024 - 08:47
      +5

      When Medicare and Optus both get away with our data leaking onto the dark web, would Kogan/Catch care from a financial point of view?

      Sigh

    • Twix on 17/01/2024 - 08:59

      According to Catch they were not breached. This is a credential stuffing attack with the username/password coming from other website breaches. The same thing happened to some users of THE ICONIC. This is why you don't use the same password anywhere else.

      • franco cozzo on 17/01/2024 - 09:02
        -1

        never do…generate a new secure password for every new account using firefox. this isnt my first rodeo mate
        https://www.ozbargain.com.au/comment/14849373/redir

        …if they say that they are lying. we'll see if other users report receiving this email too

        • Twix on 17/01/2024 - 09:59
          +1

          Good and make sure you set a master password and MFA.

          That link is also a credential stuffing attack. The database was not compromised. There is a difference.

  • djsweet on 17/01/2024 - 09:42
    +1

    Catch certainly is not admitting to a breach in that email. They are saying someone got into your account. You are making the connection between your account being compromised and a full-scale data breach. Although if you really haven't reused your long and unique secure password anywhere else it is a little bit sus. Regardless, long passwords generated by a password manager should be resistant to a data breach anyway, unless Catch stores them in plain text (which would be terribly damning for them if true). Otherwise, you are looking at some kind of vulnerability in the password reset mechanism or a login bypass vulnerability. I guess we will need to wait and see.

    • franco cozzo on 17/01/2024 - 09:53

      Our ongoing security monitoring has recently detected suspicious activity on a small proportion of Catch customer accounts.

      …obviously this is not unique to my acccount only based on the wording

      • djsweet on 17/01/2024 - 10:21

        Just because a small proportion of accounts were compromised doesn't mean there is a data breach. There could be an active phishing campaign against catch users.

    • franco cozzo on 17/01/2024 - 09:59

      ….just spoke to them. 'partial' site breach confirmed…its on their end

  • franco cozzo on 17/01/2024 - 10:00

    update 10:03am: ….just spoke to them directly via phone support.
    partial site breach of user data confirmed…its definitely on their end
    id go check your account if youre on catch and do a password reset just in case its wider than expected

    • djsweet on 17/01/2024 - 10:23

      Not necessarily. There could be an active phishing campaign against Catch users.

  • franco cozzo on 17/01/2024 - 10:07

    for others affected….the rest of the email from this morning not in the OP

    What should I do now?

    Please update your Catch password immediately to a strong password. You will need to open the Catch mobile app or website and select ‘forgot password’ on the sign in/login screen. We will then send you a link to do this safely and securely.
We do not recommend sharing passwords across different online services. If you use the same password as your Catch account for other services, we recommend you reset those other services to a strong password as well, prioritising services like banking and payments.
If you have noticed any unusual activity on your account, please contact us immediately, by calling us on 1300 551 996 on Monday to Friday between 9am to 8pm AEST or emailing us at [email protected].
Indications of unusual activity on your Catch account could include unusual changes to payment details, order confirmation or shipping notifications, being unable to log in to your account, not receiving password reset links to your expected email account or changes to your personal details or shipping addresses.

    We also encourage you to take additional precautionary security measures such as:

    Setting strong passwords and not re-using passwords.
Familiarising yourself with guidance on protecting yourself from scams. Remember that scammers may use information they already know about you in order to appear trustworthy. The Australian Scamwatch initiative offers guidance here. IDCARE also provides support and advice on identity and cyber matters and you can request individual support here.
Monitoring for unusual activity on your online accounts and your bank and payment accounts.

    Our team works really hard to bring you the best online shopping experience in Australia. If you have any questions or have noticed any unusual activity on your Catch account, please contact us immediately on the details above.

    • djsweet on 17/01/2024 - 10:21

      This definitely reads as though they believe the accounts were compromised via cred stuffing or phishing.

      • franco cozzo on 17/01/2024 - 10:26

        sure semantics….
        but if its not on my end and not my causation as far as im concerned its a data breach…its their responsibility to secure their site and most importantly my account and my personal and payment details

        • djsweet on 17/01/2024 - 10:40

          Not at all. If its nothing to do with them (ie someone phished you, scammed you, or otherwise obtained your login details from a source not related to them) then its not their problem. They are doing you a courtesy by informing you. Its your responsibility to secure your own credentials.

          • franco cozzo on 17/01/2024 - 11:03

            @djsweet:

            Our ongoing security monitoring has recently detected suspicious activity on a small proportion of Catch customer accounts. We identified that your login details were used by an unauthorised third-party to access your Catch account, or your account was subject to other potentially unusual activity.

            …my catch acc. details are secure & unique
            catch have already stated this breach is on their end
            its their problem…not mine

            • djsweet on 17/01/2024 - 11:12

              @franco cozzo: They have admitted nothing of the sort.
              your login details were used by an unauthorised third-party to access your Catch account.
              Someone has your login details and has used them. That is what they are telling you. They are not taking blame for that person having your login details. Presumably they believe the login details were acquired elsewhere, from someone other than them. The only way the acquisition of your login details would have ever originated from Catch, is if they are either trivially crackable (weak password), or they store them in plain text (which if true would be an extremely damning finding against them, and they will be a laughing stock for years to come).

              • franco cozzo on 17/01/2024 - 11:16

                @djsweet: i spoke to customer service an hour ago and they stated they had a site issue and its not something related to my account but rather a portion of all catch users.

                im not wasting my time anymore mate….done. fini.

                • djsweet on 17/01/2024 - 11:18
                  -2

                  @franco cozzo: So there is an active phishing campaign against Catch users, and several people have fallen victim to it. Due to their knowledge of such a campaign they are proactively seeking to determine which users have been affected and are notifying them. That is what I would take from what they have told you.

                  Or do you think they just told you the following for lols?

                  Setting strong passwords and not re-using passwords.
                  Familiarising yourself with guidance on protecting yourself from scams. Remember that scammers may use information they already know about you in order to appear trustworthy. The Australian Scamwatch initiative offers guidance here. IDCARE also provides support and advice on identity and cyber matters and you can request individual support here.
                  Monitoring for unusual activity on your online accounts and your bank and payment accounts.

                  • franco cozzo on 17/01/2024 - 13:24

                    @djsweet: trying to deflect their problem onto their users rather than admitting their own site security issues more like it….fini.

  • pharkurnell on 17/01/2024 - 10:43
    +2

    seems the weather for it.

    Prime Minister calls major hack a ‘scourge’ after Guzman Y Gomez, Binge targeted in coordinated cyber hack

    https://www.news.com.au/finance/work/leaders/prime-minister-…

  • nige0090 on 17/01/2024 - 10:45

    The change password process does not work for me.

    When I click the "Change your password" link in "Personal Details", it takes me through the login process again and then takes me back to "Personal Details" but there is no option to enter a new password. I tried in both Chrome & Edge.

    Am I missing something really obvious?
    Is not "Change your password" working for anyone else?

    • franco cozzo on 17/01/2024 - 11:00

      Please update your Catch password immediately to a strong password. You will need to open the Catch mobile app or website and select ‘forgot password’ on the sign in/login screen. We will then send you a link to do this safely and securely.
      We do not recommend sharing passwords across different online services. If you use the same password as your Catch account for other services, we recommend you reset those other services to a strong password as well, prioritising services like banking and payments.
      If you have noticed any unusual activity on your account, please contact us immediately, by calling us on 1300 551 996 on Monday to Friday between 9am to 8pm AEST or emailing us at [email protected].
      Indications of unusual activity on your Catch account could include unusual changes to payment details, order confirmation or shipping notifications, being unable to log in to your account, not receiving password reset links to your expected email account or changes to your personal details or shipping addresses.

      • nige0090 on 17/01/2024 - 11:09
        +1

        Thanks. That worked.

    • kmwa on 17/01/2024 - 13:05
      +1

      Tried to change my password as a precaution, and I got the same thing (on Firefox and Chrome).
      Trying to change the password just takes me to the login screen.
      Had to pretend that I'd forgotten the password. What a bunch of clowns.
      While I was in the account, I also checked that my credit card details were not stored on file with them.
      Franco, thanks for tipping us off about this.

      • franco cozzo on 17/01/2024 - 13:23

        no worries mate….that was indeed the point of the post knowing quite a few of us here use catch or have accounts from past purchases

  • this is us on 17/01/2024 - 13:26
    +1

    Here we go again… Almost every day there is a compromised website or leak. This will only stop when companies become accountable for not protecting our data. Companies have to understand that keeping IDs (numbers or photos) and addressees, phone numbers… These are all sensitive information. They can't just ask the IT guy to create a generic form which saves all the information on a standard database on some random local or cloud server.

    Seriously, when I put my old email on Have I Been Pawned there are more than 15 incidents. I have changed my personal email and reviewed most accounts but it's bizarre to see that one airline has leaked my old passport, address, full name, DOB, phone number… Then the health insurance, the internet provider, the cashback website, the booking service, the clothes store… Even a company I've worked for many years ago… And then there are databases that I don't even know where they got from, containing more information.

    Government must act on this and high penalties must be in place for security breaches, for both attackers and vulnerable servers as well.

  • franco cozzo on 17/01/2024 - 13:28

    for users effected or possibly effected by this, heres a screenshot of the full email i received from catch this morning, here:
    https://ibb.co/1d8rLJx (links to an image, only)

    • djsweet on 17/01/2024 - 14:35
      -1

      The full text of the email explicitly confirms what I have said all along. It is a little alarmist of you calling breach when there is no such evidence available at the moment.

      We do not believe the login details used were obtained due to a security breach of Catch, and it is likely these details have been compromised from another source.

      • franco cozzo on 17/01/2024 - 14:48

        no such evidence despite me calling them and confirming it….give it a rest!

        • djsweet on 17/01/2024 - 14:50

          Are you denying that what I quoted is in the email, or are you saying that Catch is lying? unsure

      • mboy on 17/01/2024 - 14:57
        +1

        Jesus, both of you need to save your breath.

        While I agree with @djsweet that the email completely reads like a credential stuffing incident (ie. same thing that apparently happened to The Iconic recently; in which case Catch are not at fault), @franco cozzo says he spoke to someone from Catch who admitted the "breach was on their end".

        Who the hell knows what's true? Can we trust that Catch were completely truthful in their email? Medibank and Optus certainly weren't in their initial breach notification emails. Can we trust that the Catch employee didn't mispeak (or that @franco cozzo didn't misinterpret what they said)?

        I suppose it also raises the question why the Catch employee would blatantly contradict the company's stance on the cause. Maybe @franco cozzo is a sweet talker and got the inside scoop. /doubt

Login or Join to leave a comment
Login Join