Optus suffered a major security breach. Image: Shutterstock
Hackers claiming to be behind the breach of personal information about millions of Optus customers have demanded the company pay US$1 million in cryptocurrency Monero to stop them from selling the data.
News of an Optus breach broke during last Thursday’s National Day of Mourning with the telco saying someone had accessed data on “at most” 9.8 million users including names, dates of birth, phone numbers, email addresses, physical addresses, driver’s licence, and passport numbers.
A hacking forum user claiming to be the Optus attacker soon posted about the breach, saying they had a database containing personal information of 11.2 million Optus users.
The attacker gave Optus one week to pay the extortion price before customer data would go on sale.
Optus said it has been in contact with relevant authorities including the Australian Federal Police and the Office of the Australian Information Commissioner.
Journalists like Jeremy Kirk accessed a sample data set and found enough unique details – that is, information that hadn’t been previously disclosed in breaches – to verify the data as likely being sourced from Optus.
The Optus hacker says they accessed an unauthenticated API endpoint. This means they didn’t have to login. The person says: “No authenticate needed. That is bad access control. All open to internet for any one to use.” #infosec #auspol pic.twitter.com/l89O8w1oCO
— Jeremy Kirk (@Jeremy_Kirk) September 24, 2022
Kirk then shared his interaction with the hacker who explained that they scraped the data from an unauthenticated, internet connecting API.
The attacker ran a script enumerating through the ‘contactid’ field, scraping customer data one-by-one until the high volume of requests eventually triggered a security alert.
Optus has refused to comment on the technical aspect of the attack, instead saying it was the work of a “sophisticated” attacker who used European IP addresses to mask their real location.
In a statement sent to the media on Saturday evening, Optus said the Australian Federal Police had advised to not comment on “certain aspects of the investigation, including…