Tangerine Data Breach

Afternoon all

TL:DR - Tangerine were hacked and all your data is on the dark web… banking and license information was not compromised (as far as they know)

Not sure if anyone else has received this or not but thought i would share, as it seems i am one of those unlucky people. Not here to bag their Internet service as i have used them multiple time and never had any issues but figured this might be the best place to post this for people that are currently with them or are thinking about using them.

So as the title mentions, Tangerine were hacked leaking PII.
Email basically states:

We are writing to let you know that Tangerine has been impacted by a cyber incident that has resulted in the unauthorised disclosure of some of our customer data.
We are contacting you as unfortunately, we believe that some of your personal data was disclosed as a result of this incident and have launched a full investigation to determine the cause. Please note that this incident does not affect the availability or operation of our nbn® or mobile services – they continue to operate as normal and remain safe to use.

The following personal information may have been disclosed as part of this incident:

Full name
Date of Birth
Mobile number
Email address
Postal address
Tangerine account number

We can confirm that no credit or debit card numbers have been compromised, as we do not store this information. No driver’s license numbers, ID documentation details, bank account details or passwords were disclosed as a result of this incident.

It appears the unauthorised disclosure of your personal information occurred on Sunday 18 February 2024 and was first reported to Tangerine management on Tuesday 20 February 2024.

How the incident occurred.

Upon learning of the incident, we immediately began an investigation to determine how this incident occurred. This investigation is ongoing and is being treated with the utmost priority.

We know that the unauthorised disclosure relates to a legacy customer database and has been traced back to the login credentials of a single user engaged by Tangerine on a contract basis.

What Tangerine are doing.
As soon as we learnt of this incident, we took steps to prevent any unauthorised access to our data.
We have taken precautionary steps to fully revoke network and systems access for the individual user’s credentials and we have also changed all other team usernames and passwords. Access to the affected legacy database has also been closed.

We have engaged an external cyber specialist to undertake a full and thorough investigation, and we are in contact with the Australian Cyber Security Centre. We have also notified the Office of the Australian Information Commissioner of this incident.

If you still have a Tangerine account, please be assured that your account, including access to the Tangerine Self Care Portal, is secure.

When you contact our team or try to login to the Portal, we will use a one-time verification code sent to your mobile & email to validate your identity and ensure that you have sufficient authority to access the account.

The following additional protections are also available to you as a Tangerine customer:
you have the option of changing your Tangerine account number.
you have the option of setting up additional security questions on your Tangerine account, and you will need to confirm the answers to these questions when you call us to discuss or make changes to your account or services.
What you should you do.

We wanted to notify you of this incident as it could increase your risk of being exposed scam or phishing attacks - where fraudulent phone calls, SMS or emails are sent to trick individuals into revealing personal information.

There are a few things that you can do to reduce this risk:
be alert to all email communications you receive including any email that claims to come from Tangerine Telecom, or that appears suspicious in any way. If you are unsure whether an email claiming to come from us is legitimate, please contact us directly;
be suspicious of any unexpected requests for your personal information, including your financial information.
Additional ways to protect yourself online.

Setting up multi-factor authentication (MFA) on your online accounts
MFA provides you with an extra layer of protection as it involves using two or more authentication factors to verify your identity, such as information you know (e.g. your personal, account or password details) together with information you have (e.g. a unique code sent to your phone or your fingerprint). While it may be easy for a criminal to steal one form of information (like a password), it's harder for them to steal two.

Regularly change your passwords

We understand that this one is annoying, but the fact is, automated attacks rely on people using the same password for many accounts and therefore if you do not change your passwords regularly (and make it one hard to crack), you could be at risk. If you are someone who finds it hard to keep track of passwords (who isn’t these days?), you might want to consider subscribing to a password manager.

Additional resources.
In addition to the above steps to protect yourself online, here’s some additional resources to help you recognise and report scams.

ID Care – supports individuals impacted by data breaches. Find out more here.
Scamwatch – learn how to recognise, avoid and report scams here.
Australian Cyber Security Centre (ACSC) – find out more ways to protect yourself online here.
Tangerine’s Online Safety & Cyber Security page.
Tangerine’s Customer Guidance on Scam Phone Calls & SMS – find out more here.
Tangerine’s ID Authentication for Account Changes & Fraud Awareness – find out more here.

If you have any further questions or concerns about this incident, you can get in contact with our Customer Service team on 1800 936 147 or by creating a Support Case in the Self Care Portal.

You can also view our media statement here.

I apologise that this incident occurred and for any concern this has raised for you. We will continue to update you during and once our investigation has concluded.

Regards,
Andrew Branson
Chief Executive Officer

Related Stores

Tangerine Telecom
Tangerine Telecom

Comments

      • +1

        Donald’s got enough problems. According to https://haveibeenpwned.com, that email address has been in 31 breaches already.

      • For fake details just use [email protected] that is the general method for using test data to use the correct term, using an actual domain just blacklists that domain for no good reason. Although I doubt the email exists.
        Some security tools do dark web checks.
        That said your details should of been deleted from the portal once your account was removed anyway. If they need to store records for tax purposes they should be securely stored offline with limited access to people that need that info.
        So only certain people within the organisation should have access to old customer data.

    • +1

      Just chiming in to say, I was in the same boat - old customer that churned away a bit earlier than you. Didn't and still haven't received any emails about the breach.

      Mozilla Monitor just emailed me though to say my details were all part of the breach.

      Tried to log in to at least change my passwords and they say the account can't be found, can't login.

      Just screw you all round, Tangerine.

      • +1

        Yep, I just got the same.
        Zero communication from Tangerine, but I already knew they were sh!t at their jobs so my surprise factor has barely moved.

        I have re-opened my TIO case that I needed to raise in order to request my data be deleted.
        I have evidence in writing of Tangerine confirming m personal data deleted and now evidence that their confirmation was utter bollocks!

        • Will be very interested to see what comes of this, please keep us posted.

          • +1

            @EBG: So far TIO don't seem to give a damn.
            The only valid explanation I can think of is that the data breach actually occurred >6 months ago (before the alleged deletion event) but has only recently been discovered and/or announced.

          • @EBG: I have again been assured by Tangerine that they have deleted my data. (Not that the data was already deleted)
            And despite my protestations that you can't delete data that you've already confirmed to the TIO to be deleted, TIO still appear to be perfectly happy with this "outcome".
            TIO have proven themselves to be just as toothless as the ACCC.
            I still have no faith that Tangerine have deleted anything.

            I don't have time to argue a lost cause any further.
            The only thing I can continue to do is to downvote every single Tangerine deal as I have already been doing since my woeful "Technical Support" experience with them.

  • +2

    When I thought Tangerine Telecom couldn't be any more of joke….

  • +1

    Also beware that tangerine and more nbn are more or less the same company. They share the same support team at least. When I called More NBN last time the operator answered with “Thank you for calling tangerine telecom. How can I help you?” And later apologised claiming that they were sister companies sharing the same support team.

    • Yer had the same happen to me operator answered my Tangerine call as welcome to More and quickly changed to welcome to Tangerine greeting

    • Same company

      • Yep. Same call centre, and other shared resources.
        You even get to keep your NBN login details when switching between the two. They don't bother raising a new NBN order.

  • +1

    Sick of this bs retention of my data. Stopped using them about 1 year ago. Total bullshit.

    Gov needs to do something.

    I got the emails.

  • Yep, I’m already pwned but this is the first from a major company. Thankfully used an old email address so not linked to anything vital, but still very frustrating.

  • +1

    Any deals?

    • +2

      Might be some great deals for leaked Tangerine customer information on the dark web soon…

  • Yep got all 3 emails today as well.

    About 1.5 hours after the second email correcting about the DD details I got a fake PayPal invoice for a flight booking sent to the email alias I only used with Tangerine (think I signed up for that free 2 month SIM or something deal but then never actually went through with it). So knew pretty quickly that my details had been breached through them at some point. Just funny timing with the original 2x DD details email.

    • +1

      British Airways flight to Perth by any chance? Think I got the same one at the same time :/

      • I got that one…

        But the booking reference in the email was wayyy too long, so off to spam it went!

      • +1

        I got this email!

      • +2

        British Airways flight to Perth by any chance

        Yep that’s the one! Or “Brtsh Arwys” as it says in the title of the email.

        Aww guess I must have upset someone who bothered to neg my original post 😂

  • medibank, optus and now tangerine and all we get is (profanity) besides the one who (profanity) us get a little strongly worded letter? thats trash.

  • +2

    Will be three years this April since I left them. WTF they still have my data? They are only required to retain data for 2 years. Obviously their data retention and deletion policies amount to uncontrollable data hoarding. I hope they go belly up for this.

    • Yeah, I was nearly 5 years. She deleted it while I was on chat.

      I didn’t ask for it to be deleted in the chat, but she was pretty quick to do it haha

      • +2

        Bit late now.

        • +2

          But good preparation when they are hacked again the second time.

  • +2

    Any class action to join?? I need some loose change to buy maccas

    • +1

      Sure if you want to get your loose change 5 years later

  • +5

    When will companies be held liable for leaking our data?

    • +4

      When our stupid f**ing politicians grow an actual spine…

  • +4

    I signed up to their NBN using a fake name and fake DOB.

    Did the same with ShopBack, and could tell straight away how a random trading company obtained my email address.

    • This guy is genius level smart… I wish I could have thought ahead because I already knew it was not a compulsory ID detail and plus they don't even have the ability to verify it…

      • But I wasn't so lucky with Optus. :-(

  • +1

    There no mention of More NBN which from mu understand is run by the same people at Tangerine.

  • +6

    I got affected too and now I am severely pissed. First it was Optus and now Tangerine. We need to have a law that not only the companies need to be held liable for leaking our personal info, but pay us some type of compensation in the event such information gets leaked out. Sorry simply does not cut it any more.

  • Most useless ISP ever. Had to take them to the TIO to sort everything out and get away from them. And now to top it off they leak my data…

  • I cancelled my nbn about a fortnight ago (was OK for my needs, cancelling as churning away at end of honeymoon rates) and didn't get any e-mail about this leak 🤦‍♂️

  • +1

    Already received my first spam from the breach from 'qantas' free gift cards. I know 100% it's the tangerine crap because I use unique email addresses that can be traced back to the orgin.

  • +7

    I love how the entire second half of the email is a lecture on security to their customers, when they are the idiots who got hacked.

    • +2

      Absolutely.

      What crooks.

  • Moved to Exetel yesterday due to this..

  • 2 weeks ago moved to SL, I have requested all my data be removed from the database and got the reference number…don't think it will be successful.

    • They're required by law to retain your data for at least 2 years…

  • +1

    This was bound to occur.
    They're so shit at their core business, how could they be even passably good at security?

    When I left them, I raised a ticket specifically requesting my data be deleted.
    This request was acknowledged and my ticket closed out (cause that's the way they roll, send a form response to a ticket and close it out even if it isn't resolved).

    I put a reminder in my calendar for 31 days to give them an entire month to actually implement my request. When that date rolled over, and I was still able to log into my account, I raised a TIO complaint which seems to be the only way to get a resolution from them.

    We will continue to update you during and once our investigation has concluded.

    What are the chances that there will be any other communication on this matter unless you chase it up individually? My guess, no further communication, "sweep it under the rug, most people will forget about it anyway"

    • I was told by them today that they can hold onto the data for 2 years, I had told them with this data breach I am calling the TIO. I called the TIO they had pointed me to a government privacy website. I had read some information maybe it is time that everyone who has a data breach does a joint action one against the Australian Government, as it is the law these companies have to retain the data for 2 years, so your complaint to the tio may fall on deaf ears

  • They should pull their ads off TV.

  • Can direct debit details if leaked be used by any one. Any difference with a credit/debit card v direct debit with these leaks. No longer a customer but payment details are still on Tangerine files.

    • +1

      I think so some companies you do not even need the 3 pin security on the back of the card to make a payment, just user name and credit debit card details, which is why I went into my bank statements today and contacted my bank which my payments have come from, so now i have to wait for new card, and worried how I will pay my internet as my current provider only has access to that card. I have had to change this card, and my credit card 3 times and drivers licses because of these damn data breaches. Getting over it, if the details sit in the account then the debit and credit card details would of been leaked to, how can we trust the idiots at Tangarine when they have breached our data.

  • +1

    Does anyone have some practical tips on how to minimise risk from the breech?
    I've put a credit freeze in place but can't think of anything else short of changing phone numbers and email.

    • +3

      If you re-use the same email and password for everything time to change passwords for everything.
      (time to get yourself a password manager and get out of the shoddy practice of using the same password/s for everything)

  • +2

    Its cheaper to save people's data, than to design a system that automatically purges info…

    Properly thought out data retention legislation would have also had a big fat stick built in to it. Something along the lines of:

    Fine of say $1,000,000 for corporation with <1000 employees and $10,000,000 for those with >1000 employees or x% of their annual profit (whichever is Greater) should their systems be breached, and ex client's data (info of users they were no longer required to retain) is stolen..

    Companies will continue to count such breaches and any measly fine they receive as cost of doing business, until such time it really affects thier bottom line.

  • This is annoying I was a customer of theirs years ago, but clearly they still have my data on their system

    🤨

  • +1

    I left More Telecom(sister company of Tangerine) months back. I can still login and see saved Credit card details.Unbelievable. WTF?

  • what does it mean if you've NOT received an email from Tangerine? if they just signed up recently for their 2-months free to try them out..

  • +1
    1. I think tangerine forced direct debit when sign up - i couldn't find/cannot be easily found ways not to use direct debit
    2. I also got an email where they say their direct debit failed, where as my account showed the amount is already debited and not pending - this could mean their banking system is compromised.
  • I think they are trying to protect their own asses, why would they send ex customers and customers saying that their direct debit had failed, then later another saying that sorry the other email was sent in error, they may have been so busy removing peoples credit card details, so they then can say sorry the credit cards have not been complimized, what total crap. Even to hold on to many details is disgusting when you have left them, I was with them for around 2 weeks constant drop outs and I was waiting on my home to be repaired and when it was I did not move their crappy service went back to my original, after being at the other address temp I was with super loop for the first 6 months that was so much better than their crap

    It was not long after receiving we believe that your data may have have been reached, I got a urgent notification from Norton's tell me that my information is on the dark web, and it was a combo one, maybe because it contained everyone else's data that Tangarine failed to protect, not happy. Do not believe them about the credit card and debit card details have not been complimized. Tommorrow I am thinking about switching to another company, that allows people to actually use BPAY rather than direct debit and credit debit cards. My current provider I have to change the card over, they told me that they will have to get someone with authority to do so, and will call me back tommorrow, as my bank said you are right to be concerned cancelled the debit card, which my internet provider dd out of so more mess, and have had the credit card changed 3 times and driver licence so over companies that are not protecting us

  • +1

    got the same email, but it doesn't seem like my email has been compromised on the web. best they could do as an apology is give some credit towards a plan but i doubt, i'd trust them.

  • +2

    Wtf tangerine I left them ages ago and they sent me an email about direct debit failed and now data breach. Absolute disgrace.

  • +2

    wow, i cant believe this. the fist time i havent been effected.

  • -1

    First we need to overturn the data retention laws.

    Only then can we fix this mess up and actually have the possibility of levying fines against improper data retention like they do in other countries.

    Notably this hack affects legacy customers because it was in a legacy database required for metadata retention. Normally you cannot access multiple customers data because of cooldown restrictions.

    Let alone for some clown to vacuum up 230,000+ credentials……. What the heck was the government thinking.

    Now we don't need mass protests to remove the illegitimate government that is also supporting genocide, but eventually if nothing changes, this might have to be the route. They even had the balls to try and state we need conscription. Maybe we need to conscript those politicians first and send them off to die first.

    Representative government my ass, only a vocal minority supports the genocide. Now they also wanted to conscript Australians and ship them off to ukraine to die, what were they thinking. There needs to be consequences for these politicians as they are not doing the work of the Australian Public.

    The goal is peace at all costs, if that means the government ends up destabilising itself, that's their problem. This along with their dumb policies of retaining unnecessary data. How many people did they catch because of these new laws? ZERO FOOLS! Criminals just go underground with even more sophisticated tools.

    Remember, when you voted, did you vote for us to go to Ukraine? Hell no, none of us did. It's a load of crap.

  • +1

    TLDR: One-man garage operation falls apart.

  • +4

    Optus
    Medibank
    Latitude
    Pizza Hut
    Eagers Automotive
    Tangerine

    Looks like I'm 6 out of 6

    • damn we need to go back to paper sign ups.

      • -1

        just like voting in the elections

  • +1

    Unfortunately, hacker did not get any new data after matching the Tangerine data with Optus, Medibank and Latitude data.

  • I contacted their customer service and they told me apparently no data has been lost. This is after I asked for compensation……

  • Did anyone NOT get an email from them ? (former customer)

    • +1

      Nothing so far, but my account may have been created outside of the database window.
      (it must have been a matter of days though)
      Hopefully more likely my specific request and TIO complaint to have my account data be deleted is the actual reason. After experiencing the shitness of their ISP capabilities, I knew a data breach was almost inevitable and wanted to protect myself as much as possible.

      • +1

        good thinking; i just went in and changed my mob# and removed home address & mailing. (profanity) em

        • +1

          Yeah, looks like it's a legacy database that is impacted. It is not too late to go change your details.

          Ah, I just realised I did not provide a home address to them, it's still bugging me for one when I login…. I didn't get the email about the breach BTW…

          Luckily, I know how to hack my way around the popup.

          Hmm…. It still has my mailing address which I tried changing to blank, but it still keeps my old one. Oh well, it's good enough; wish I could change my date of birth though, since they can't really verify it anyway as they have no access to any verification services.

          Which brings me to a question, why do they need our date of birth. I'm sure others like launtel don't even require it. If tangerine bans me for screwing around with their portal, good for them, but I'm probably going back to a more secure provider. I can't trust these guys anymore.

          • @Scott-APT: just put your mailing address as some random address, they don't even send paper bills anyway, costs them too much.

      • I can't really tell, maybe I got lucky too. lol.

        I would go in there and change your details if you can still login.

  • +1

    I got the same mail, I don't have a connection with them now :/ Does this mean more telecom is also affected as they seems to be sister companies ?

    • Were you with More NBN or did you use both?

      • I have used both in the past but didn't have an active connection when this happened. I only got this email from Tangerine.

  • +1

    I was with them till May 31-05-2021 and they were still holding my data :(

    • Best to make a TIO complaint - apparently they're expensive!

      • Yeah I did that, hopefully TIO will do something about it. I am surprised this breach was not picked up by our main stream media.

  • +1 had such a poor experience with Tangerine, decided to take the hit and pay more for a reputable RSP
    "You get what you pay for" doesn't even really work with the amount of outages we had.

  • after so many data breaches we have been through, scammers now know more about me than I do

  • +1

    https://www.itnews.com.au/news/tangerine-telecom-says-custom…

    “Thankfully, over recent years we’ve taken multiple pre-emptive steps which have included reviewing what data we really need to keep and what we can live without,” Tangerine CEO Andrew Branson said.”

    Maybe it’s high time they also delete data of users who have long since stopped using their service…

  • I called Tangerine to see what is going on and apparently there was not actually any data breach and they said an email is going out to customers to confirm it didn’t happen. Has anyone else spoken to anyone at Tangerine to confirm, or received any such email? The person on the phone was very hard to understand though and was just reading from a script.

  • Did any1 else get an email stating they owe you money? Just got one and looks legit, email add from, and i did leave them earlier this month so maybe🤷 will call them tomorrow. Weird thing is i paid my bills via direct debit so why they telling me to hit the link and fill out form 🤔

  • +1

    last night was trying to login to my account

    in address bar

    https://myaccount.tangerinetelecom.com.au/Account/Login?Retu…

    This site has been reported as unsafe
    Hosted by myaccount.tangerinetelecom.com.au
    Microsoft recommends you don't continue to this site. It has been reported to Microsoft for containing phishing threats which may try to steal personal or financial information.

  • Is it just me or have they deleted the old accounts? I cant seem to log in any more and keep getting "We were not able to verify your account with the email address and mobile number provided".
    Wonder if they have purged all of the accounts…

    • +1

      Did you change your details? Mine reverted and I had to use my old details.

      I opened a TIO case against Tangerine as a result.

      I suggest others do the same.

  • I didnt get an email from Tangerine but Firefox's monitoring service instead…

    Why do they need to retain stuff like DOB on file too esp since i wasnt under any service with them that did a credit check

  • +2
  • +2

    You're one of 243,462 people pwned in the Tangerine data breach

    Breach: Tangerine
    Date of breach: 18 Feb 2024
    Number of accounts: 243,462
    Compromised data: Dates of birth, Email addresses, Names, Passwords, Phone numbers, Physical addresses, Salutations
    Description: In February 2024, the Australian Telco Tangerine suffered a data breach that exposed over 200k customer records. Attributed to a legacy customer database, the data included physical and email addresses, names, phone numbers and dates of birth. Whilst the Tangerine login process involves sending a one-time password after entering an email address and phone number, it previously used a traditional password which was also exposed as a bcrypt hash.

  • +1

    Yep I started getting spam to my gmail yesterday, worst of all it went to my inbox.

  • Can anyone recommend a NBN provider that takes security seriously?

    • Telstra, according to their ads.

  • +1

    just when you think they can't get any better at their jobs! security question answers, that aren't even in use, have been leaked. fantastic.

    "We contacted you recently to advise you of a cyber incident affecting certain personal information of some current and former Tangerine customers. Unfortunately, after deeper analysis, we have confirmed that the answers to two account security questions (though not the security questions themselves) were included in the exposed data for a subset of affected customers. We are sorry to advise that you are one of these customers.

    The security question answers that were compromised were set up when your Tangerine account was opened. While we understand this is not a positive update, please be assured that your Tangerine account remains secure.

    Since we implemented multi-factor authentication in 2022, we have not used answers to security questions as a standard mechanism for account security or identity verification, and our records show that security questions are not in use on your account. Instead, when you login to the self-care portal or contact our customer service team about your account, you are required to correctly verify a one-time PIN sent to the mobile number and email address on your account. "

    • JFC, why keep the account security QAs if they don't flipping use them.

Login or Join to leave a comment