TOP News

Australia: Optus data hacker scandal takes ridiculous turn as man sent customer's phone numbers and bills

It’s too late to undo the Optus hack. How do we stop the next one?

  It’s too late to undo the Optus hack. How do we stop the next one? An account claiming to be the hacker told Crikey they wouldn't release the data if Optus paid them $1 million — but said the telco had not yet been in touch.An anonymous account, “Optusdata”, posted an extortion threat for US$1 million to the telecommunications company on a popular hacking website. The account asked for the sum to be paid in untraceable cryptocurrency Monero within a week or the dataset would be made available to others for purchase.

A man claims Optus sent him another customer's phone numbers and bills through its help chat in the latest scandal to hit the telecommunications giant.

Up to 10million Australians are at risk of having their private and sensitive information sold online after a hacker infiltrated Optus' system and raided the details of its current and former customers.

Samuel Leighton-Dore posted screenshots of a conversation he claims to have had with an Optus support worker - who appears to have accidentally sent him private information.

'Now Optus support leaking other people's phone numbers and bill amounts to me,' he posted to Twitter, alongside an image of the chat.

Karl Stefanovic launches a fiery attack on Optus: 'This makes me rage'

  Karl Stefanovic launches a fiery attack on Optus: 'This makes me rage' Karl Stefanovic has slammed Optus for being too 'slow' in responding to Australia's largest ever privacy breach and says the data hack makes him 'rage'.His comments come after a mysterious hacker leaked the personal details of 10,000 innocent customers, before apologising and deleting the trove of data they stole.

A man claims Optus sent him customer's phone numbers and bills owed through its help chat in the latest scandal to hit the telecommunications giant © Provided by Daily Mail A man claims Optus sent him customer's phone numbers and bills owed through its help chat in the latest scandal to hit the telecommunications giant Samuel Leighton-Dore posted screenshots of a conversation he claims to have had with an Optus support worker - who appears to have accidentally sent him private information © Provided by Daily Mail Samuel Leighton-Dore posted screenshots of a conversation he claims to have had with an Optus support worker - who appears to have accidentally sent him private information

The Optus employee sent through three customer's phone numbers alongside bills costing $326.20, $117.90 and $110.90.

The worker then immediately follows up the messages by saying: 'I request you to ignore the above text'.

'You've actually just leaked additional data to me,' Mr Leighton-Dore replies.

'I apologise for it,' the Optus worker responds, before adding the messages were a 'typo error'.

Top 20 most common passwords used by Australians in 2021

  Top 20 most common passwords used by Australians in 2021 Aussies with predictable and lazy passwords have been put on notice with a new list by a global cyber security firm revealing the top 20 combinations which hackers can crack in just one second. Nord Security data found '123456' was the most used password in Australia during 2021 with the basic security lock being recorded 308,000 times.The second most common password was the embarrassingly simple 'password' - which featured 191,800 times.Nord Security said even with the most unsophisticated hacker could break these passwords in under one second with a basic software program.

Daily Mail Australia have contacted Optus for comment on the bizarre blunder.

The Optus employee apologised to Mr Leighton-Dore for accidentally sending customer's information to him through its help chat © Provided by Daily Mail The Optus employee apologised to Mr Leighton-Dore for accidentally sending customer's information to him through its help chat The New South Wales Government confirmed it will replace all driver's licenses compromised by Optus' massive data leak © Provided by Daily Mail The New South Wales Government confirmed it will replace all driver's licenses compromised by Optus' massive data leak

State governments around Australia have confirmed it will replace all driver's licenses compromised by Optus' massive data leak.

Victor Dominello, the NSW Minister for Digital and Customer Service, confirmed on Tuesday evening they would cover the $29 cost of replacing licenses impacted by the online espionage.

'Firstly I am sorry it has taken several days to reach this landing. People are understandably stressed and need a pathway forward,' he posted to his Twitter account.

Telstra 'real winner' of Optus hack: Telco denies taking swipe with AFL grand final ad

  Telstra 'real winner' of Optus hack: Telco denies taking swipe with AFL grand final ad The hugely expensive 30-second commercial shows a woman on her phone getting a text, as words appear across the screen saying: '1 text from the boss' and '3 malicious messages blocked'.The hugely expensive 30-second commercial shows a woman on her phone getting a text, as words appear across the screen saying: '1 text from the boss' and '3 malicious messages blocked'.

QLD Premier Annastacia Palaszczuk confirmed her government would also reimburse all license changes, while Victoria's Department of Transport will send the bill straight to the telco.

Mr Dominello said Optus would be contacting its customers who need to apply for a new license in the coming days.

'People in NSW with a digital driver licence will have an interim card number issued instantaneously via the Service NSW app. A new plastic licence card will be issued within 10 business days,' he said.

'The cost to replace your driver licence is $29 and will be charged by Service NSW at the time of application – reimbursement advice will be issued by Optus to customers in the coming days.'

Anyone concerned over their identity possibly having being leaked should contact ID Support NSW on 1800 001 040.

Ms Palaszczuk said Transport and Main Roads Queensland would be issuing new licenses free of charge.

'The licence is a highly secure ID document, but we've been hearing from a lot of people who are concerned so we are giving people the opportunity to obtain a fresh licence,' she posted to Twitter on Tuesday night.

Impacted by the Optus data breach? Here's how to replace your passport, drivers licence and Medicare card

  Impacted by the Optus data breach? Here's how to replace your passport, drivers licence and Medicare card Western Australian police are urging people in the northern Perth suburb of Gnangara to be vigilant after a 34-year-old man was found dead in the area.

Victor Dominello confirmed on Tuesday evening the government would cover the $29 cost of replacing licenses impacted by the online espionage © Provided by Daily Mail Victor Dominello confirmed on Tuesday evening the government would cover the $29 cost of replacing licenses impacted by the online espionage

The hacker claiming to be responsible for the data breach suddenly apologised for the cyber-attack - as customers receive threatening text messages demanding they pay $2,000 to have their details erased.

In a bizarre post on Tuesday morning, 'Optusdata' claimed there were 'too many eyes' on them and said they would not sell or leak the hacked data of up to 10million Australians.

In broken English, Optusdata said: 'Deepest apology to Optus for this. Hope all goes well from this'.

However, Australians are now receiving threatening texts demanding they pay $2,000 to have their 'confidential information erased off the system'.

In a bizarre post 'optusdata' claimed there were 'too many eyes' on them and claimed they would not sell or leak the hacked data of over 10million Australians © Provided by Daily Mail In a bizarre post 'optusdata' claimed there were 'too many eyes' on them and claimed they would not sell or leak the hacked data of over 10million Australians

The text warns Optus customers that if they do not comply, their information will be 'sold for fraudulent activity' in two days time.

The message asks the $2000 be transferred to a Commonwealth Bank account under the name 'Optusdata' and that customers send a copy of their receipt.

Optus’ full-page newspaper apology — a lazy concept way past its use-by date

  Optus’ full-page newspaper apology — a lazy concept way past its use-by date A carefully worded, legally vetted letter pulled together by comms professionals will be cold comfort to victims of the data breach.But why? Who thinks a paid apology advertisement communicates anything worthwhile? Generally it suggests desperation and a lack of imagination rather than sincerity.

'Optus has left security measures allowing us to access the personal information of their customers including name, email, phone number, date of birth, address and licence number,' the text reads.

'Optus has not responded to our demand of paying the 1M$USD ransom as such as your information will be sold and used for fraudulent activity within 2 days or until a payment of $2000AUD is made then the confidential information will be erased off our systems.'

The threatening texts comes just hours after the hacker said they would release 10,000 records every day for four days if a $1.5million ransom remained unpaid.

Optus customers have received threatening text messages warning their data will be leaked unless they pay $2,000 to a CBA account (pictured, the text message) © Provided by Daily Mail Optus customers have received threatening text messages warning their data will be leaked unless they pay $2,000 to a CBA account (pictured, the text message)

The customer records the hacker has released so far included passport, drivers licence and Medicare numbers, as well as dates of birth and home addresses.

In their original apology, the Optus hacker claimed they would've told the telco about their vulnerability but there was no way of getting in touch.

'Optus if your (sic) reading we would have reported exploit if you had method to contact,' the apology continued.

'No security mail, no bug bountys, no way too message. Ransom not paid but we don't care any more.'

The hacker said they couldn't release more data even if they wanted to because they had 'personally deleted data from drive' which they claim is the only copy.

Cybersecurity journalist Jeremy Kirk said the apology wasn't a guarantee 'optusdata' could be trusted but said it would be the 'best outcome' for customers.

No safety in numbers

  No safety in numbers At least 2.1 million of the 9.8 million victims of the Optus hack need to replace their ID, and there's another rate rise on the cards today.Optus chief executive Kelly Bayer Rosmarin was “frustrated” by the government’s comments, telling the AFR the best thing would be to present a “united front” with her embattled company. Rosmarin reckons Optus has mostly done the right thing so far, having “communicated to these customers and recommended that they take action to address the heightened risk of theft”.

He said it was 'disappointing' others on the forum had copied the stolen data and were distributing it - despite the hacker deleting the original samples.

'This means that those 10,200 Optus users in these three data samples would be at an immediate heightened risk of fraud, ID theft,' he tweeted.

Shara Evans, a tech analyst who has worked for large telco's in the United States, believes Optus has been less than forthcoming over whether the stolen data was encrypted or not.

'If the data was encrypted the company would be on the front foot saying 'yes it's been encrypted, we're not going to tell you the exact method for security purposes',' she told Daily Mail Australia.

'Any data that someone may have gotten their hands on would be in an 'encrypted state' - whether they used encryption or tokenisation or any other methodology to scramble the data that would have solved 99.9 per cent of the problem.'

Ms Evans said Optus should have maintained separate silos for storing their customer's personal information.

'All of this stuff should have been separately kept, separately stored with audit trails, multiple firewalls and encryption,' she said.

The hacker demanded a ransom of US$1million - or $1.5million Australian - be paid in Monero, a decentralised cryptocurrency (pictured, an Optus store in Sydney) © Provided by Daily Mail The hacker demanded a ransom of US$1million - or $1.5million Australian - be paid in Monero, a decentralised cryptocurrency (pictured, an Optus store in Sydney)

Mr Kirk questioned the motivations behind the backflip, tweeting: 'Many questions around this: Why has this person seemingly changed their mind?'

'Can we trust this person now? What does this person mean by writing about not being able to delete the data from the drive?'

The cybersecurity journalist, who says he has been in contact with the hacker, shared details of the ransom note on Tuesday morning.

'The Optus hacker has released 10,000 customer records and says a 10K batch will be released every day over the next four days if Optus doesn't give into the extortion demand,' he wrote on Twitter.

Read more

Alleged SMS scammer arrested in Sydney for 'using Optus hack data' .
A Sydney man has been arrested over an alleged SMS scam that used information obtained from the recent Optus cyberattack.The Australian Federal Police (AFP) this morning executed a search warrant at a home in Rockdale, in Sydney's south, where they arrested a 19-year-old man accused of running the scam.

See also