This past week, the Australian telecoms company Optus is coming under fire for a breach of customer data. Optus’ initial press release regarding this breach went out on 21 September 2022, informing customers that services were not affected and that they were investigating a possible breach [1]. Optus has subsequently release further updates, including informing customers that they will be contacted if their data was compromised. In addition, Optus will be offering the Equifax Protect service to affected customers at no cost [2].
On September 17th, an anonymous user named “optusdata” posted a data-for-sale listing on a popular breach forum. This user claimed to have millions of records containing Optus user information, demanding payment from Optus or else records would be sold. If Optus did not pay this user, 10,000 records would be released publicly daily for four days until a decision was made. Two sample packs containing 100 records each was released, along with one pack of 10,000 records since apparently no ransom payment was made.
Perhaps unexpectedly, the user optusdata has taken down this listing and the associated data as of September 27th. Their update indicates that this breach has “too many eyes” and that they are sorry to Optus and the 10,200 affected users who had their information leaked. They also claim that Optus had no obvious method of contact and that the ransom was not paid.
Following this announcement, the breached data was then reposted by a user named “FazyMalone.” Thus, until further notice, the number of records released by this breach is 10,200. Specifically, each record may contain the following information about Optus customers:
- Name
- Birthday
- Gender
- Email Address
- Phone Number
- Notification Preferences
- Physical Address
- Driver’s License Information
- Passport Number
Perhaps unexpectedly, the user optusdata has taken down this listing and the associated data as of September 27th. Their update indicates that this breach has “too many eyes” and that they are sorry to Optus and the 10,200 affected users who had their information leaked. They also claim that Optus had no obvious method of contact and that the ransom was not paid.
This breach is currently under investigation by Optus and the Australian Federal Police, neither of which have commented on whether user “optusdata” is responsible for the breach. The Australian government has also requested assistance of the US Federal Bureau of Investigation (FBI). Further, security researcher Jeremy Kirk says that it is unclear why the decision to sell the data was changed and that he had been in contact with the user optusdata [3]. Kirk also asserts that this breach involved the use of an unauthenticated API, "api.www[dot]optus.com.au", which would allow anyone to have access to Optus data [4]. This endpoint has since been secured.
In addition to this specific breach, we can see that suspicious activity related to Optus has seemingly been taking place for at least six weeks. Red Sky Alliance data collections are indicating a significant increase in sinkholed traffic related to SINGTEL OPTUS PTY LTD, along with numerous username and passwords from accounts with “optus.com.au” email addresses since the beginning of August 2022. An abbreviated listing of our collections can be seen below, with a full table available here.
Table 1. Abbreviated table of sinkhole collection data regarding Optus.
[2]: https://www.optus.com.au/content/optus/en/for-you/support/cyberattack.htm
[4]: https://thehackernews.com/2022/09/hacker-behind-optus-breach-releases.html
About Red Sky Alliance
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please contact the office directly at 1-844-492-7225 or feedback@wapacklabs. com
Weekly Cyber Intelligence Briefings:
Reporting: https://www. redskyalliance. org/
Website: https://www. wapacklabs. com/
LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
Comments