Optus Under $1 Million Extortion Threat in Data Breach
Optus Under $1 Million Extortion Threat in Data Breach
Exclusive: Optus Attacker Says Unauthenticated API Endpoint Led to Breach
Jeremy Kirk (jeremy_kirk) • September 25, 2022
Credit Eligible
Optus Under $1 Million Extortion Threat in Data Breach
An Optus store in greater Sydney.
Australia’s second-largest telecommunications company is facing a US$1 million extortion demand to prevent the sale of what an attacker says are up to 11.2 million sensitive customer records.
See Also: Now OnDemand | C-Suite Round-up: Connecting the Dots Between OT and Identity
The data breach, which ranks as one of the country's largest ever, is under investigation by the Australian Federal Police. Optus, which is a subsidiary of the Singaporean telecommunications conglomerate Singtel Group, detected it on Sept. 21.
Early Saturday, a person going by the nickname "Optusdata" published two samples of the purported stolen data on a well-known data leak forum. The attacker writes that Optus can prevent the sale of the data to other cybercriminals if it pays $1 million in the Monero cryptocurrency.
The person claiming to have hacked Optus published data samples as well as an extortion demand against the company on a data breach forum early Saturday.
Optusdata writes that Optus has one week to pay, otherwise the data will be available for sale in parcels.
The two released data samples contain around 100 records and include data fields such as name, email address, physical address, passport number, driver's license number, birthdate, whether a person owns their home or not, and more. The data covers current and former Optus customers.
An Optus spokesperson said on Saturday, "We are investigating the legitimacy of this" data.
Leaked Data Appears Legitimate
Information Security Media Group found strong signs that the data likely originated with Optus.
One way to figure out if a breach came from an organization it claimed to have come from is to enter the email addresses into Have I Been Pwned. HIPB is a data breach notification service. People can sign up and be alerted if their email address appears in a new breach. An email addresses can also be entered into HIBP to see if it has been in a past breach.
ISMG tested 23 email addresses. Most had appeared in previous breaches, but six had not. That is an indication that the Optus sample data is real.
Also, some personal records do not have a recognizable email address from major providers. Instead, there are email addresses that appear to have been assigned by Optus. For example "[email protected]." Those addresses also do not appear in HIBP, suggesting that this is the first time those have been breached.
In looking at one of the sample data sets, this reporter recognized a local street address. This reporter went to a residence on Saturday morning and found the woman whose data had been exposed. She was working in her yard.
When handed a printout of the data, she confirmed it belonged to her. She was an Optus customer until around 2018. Optus has said it believes the leaked data may date back to 2017.
Breach Source: Unauthenticated API
The Australian broadcaster ABC reported on Friday a possible cause for the breach.
The ABC quoted a "senior figure" inside Optus who said that an API for an Optus customer identity database was opened to a test network that "happened to have internet access."
APIs are software interfaces that allow systems to exchange data, but they could pose risks of data breaches if exposed directly to the internet. Optus declined to comment on the explanation and disputed that "human error" may have played a role.
ISMG made contact with Optusdata on the forum where the data samples were released and asked how the data had been stolen. The person confirmed the data had been exfiltrated from an unauthenticated API. To put it another way, the API did not require anyone to login in order to access its functionality.
Optusdata wrote in a message: "No authenticate needed. That is bad access control. All open to internet for any one to use."
The person claiming to have hacked Optus told ISMG that an unauthenticated API led to the breach.
The API endpoint was "api.www[dot]optus.com.au." It’s an odd URL, but Optusdata says it worked to exfiltrate the data because, otherwise, a DNS error occurred. That API is now offline, so there is no more risk for Optus. The API was used in part to let Optus customers access their own data.
The same API endpoint was passed to ISMG on Saturday by a separate anonymous source. That person says it was hosted in Google Cloud/Apigee. When Optusdata started frequently accessing that API, it triggered a security alert. A suspiciously high volume of data was coming from that API, which was a signal to Optus of malicious behavior.
Optusdata says they enumerated the customer records via the contactid - a field that appears in the leaked data samples. It's unclear how Optus used the contactid. By enumerating, the hacker means they sequentially accessed and downloaded the customer records using the API.
Contacted on Saturday night with this information, an Optus spokeswoman said the company did not have an immediate comment.
Notifying Customers
Optus is in the process of notifying those affected. Not all of those affected had the same amount of data exposed. Optus said on Friday it will offer "expert third-party monitoring services" for those at heightened risk. It has also warned customers to be wary of potentially fraudulent emails and text messages.
Optus will face a range of regulatory inquiries about its data handling practices, including from the Office of the Australian Information Commissioner, which is the country's data protection agency.
The Guardian reported that Australia's attorney general's office is seeking an "urgent" meeting with Optus to hear of the company's plan to mitigate the effects of the breach for those affected.
In a separate story, The Guardian reported that in 2020 Optus argued against giving consumers stronger rights over control over their data during a federal review of the country's Privacy Act.
Optus opposed giving consumers a right to erase their personal information, citing "significant technical hurdles," it reported. The company also opposed greater consumer power to take legal action against companies over data breaches, the publication wrote.
Exclusive: Optus Attacker Says Unauthenticated API Endpoint Led to Breach
Jeremy Kirk (jeremy_kirk) • September 25, 2022
Credit Eligible
Optus Under $1 Million Extortion Threat in Data Breach
An Optus store in greater Sydney.
Australia’s second-largest telecommunications company is facing a US$1 million extortion demand to prevent the sale of what an attacker says are up to 11.2 million sensitive customer records.
See Also: Now OnDemand | C-Suite Round-up: Connecting the Dots Between OT and Identity
The data breach, which ranks as one of the country's largest ever, is under investigation by the Australian Federal Police. Optus, which is a subsidiary of the Singaporean telecommunications conglomerate Singtel Group, detected it on Sept. 21.
Early Saturday, a person going by the nickname "Optusdata" published two samples of the purported stolen data on a well-known data leak forum. The attacker writes that Optus can prevent the sale of the data to other cybercriminals if it pays $1 million in the Monero cryptocurrency.
The person claiming to have hacked Optus published data samples as well as an extortion demand against the company on a data breach forum early Saturday.
Optusdata writes that Optus has one week to pay, otherwise the data will be available for sale in parcels.
The two released data samples contain around 100 records and include data fields such as name, email address, physical address, passport number, driver's license number, birthdate, whether a person owns their home or not, and more. The data covers current and former Optus customers.
An Optus spokesperson said on Saturday, "We are investigating the legitimacy of this" data.
Leaked Data Appears Legitimate
Information Security Media Group found strong signs that the data likely originated with Optus.
One way to figure out if a breach came from an organization it claimed to have come from is to enter the email addresses into Have I Been Pwned. HIPB is a data breach notification service. People can sign up and be alerted if their email address appears in a new breach. An email addresses can also be entered into HIBP to see if it has been in a past breach.
ISMG tested 23 email addresses. Most had appeared in previous breaches, but six had not. That is an indication that the Optus sample data is real.
Also, some personal records do not have a recognizable email address from major providers. Instead, there are email addresses that appear to have been assigned by Optus. For example "[email protected]." Those addresses also do not appear in HIBP, suggesting that this is the first time those have been breached.
In looking at one of the sample data sets, this reporter recognized a local street address. This reporter went to a residence on Saturday morning and found the woman whose data had been exposed. She was working in her yard.
When handed a printout of the data, she confirmed it belonged to her. She was an Optus customer until around 2018. Optus has said it believes the leaked data may date back to 2017.
Breach Source: Unauthenticated API
The Australian broadcaster ABC reported on Friday a possible cause for the breach.
The ABC quoted a "senior figure" inside Optus who said that an API for an Optus customer identity database was opened to a test network that "happened to have internet access."
APIs are software interfaces that allow systems to exchange data, but they could pose risks of data breaches if exposed directly to the internet. Optus declined to comment on the explanation and disputed that "human error" may have played a role.
ISMG made contact with Optusdata on the forum where the data samples were released and asked how the data had been stolen. The person confirmed the data had been exfiltrated from an unauthenticated API. To put it another way, the API did not require anyone to login in order to access its functionality.
Optusdata wrote in a message: "No authenticate needed. That is bad access control. All open to internet for any one to use."
The person claiming to have hacked Optus told ISMG that an unauthenticated API led to the breach.
The API endpoint was "api.www[dot]optus.com.au." It’s an odd URL, but Optusdata says it worked to exfiltrate the data because, otherwise, a DNS error occurred. That API is now offline, so there is no more risk for Optus. The API was used in part to let Optus customers access their own data.
The same API endpoint was passed to ISMG on Saturday by a separate anonymous source. That person says it was hosted in Google Cloud/Apigee. When Optusdata started frequently accessing that API, it triggered a security alert. A suspiciously high volume of data was coming from that API, which was a signal to Optus of malicious behavior.
Optusdata says they enumerated the customer records via the contactid - a field that appears in the leaked data samples. It's unclear how Optus used the contactid. By enumerating, the hacker means they sequentially accessed and downloaded the customer records using the API.
Contacted on Saturday night with this information, an Optus spokeswoman said the company did not have an immediate comment.
Notifying Customers
Optus is in the process of notifying those affected. Not all of those affected had the same amount of data exposed. Optus said on Friday it will offer "expert third-party monitoring services" for those at heightened risk. It has also warned customers to be wary of potentially fraudulent emails and text messages.
Optus will face a range of regulatory inquiries about its data handling practices, including from the Office of the Australian Information Commissioner, which is the country's data protection agency.
The Guardian reported that Australia's attorney general's office is seeking an "urgent" meeting with Optus to hear of the company's plan to mitigate the effects of the breach for those affected.
In a separate story, The Guardian reported that in 2020 Optus argued against giving consumers stronger rights over control over their data during a federal review of the country's Privacy Act.
Optus opposed giving consumers a right to erase their personal information, citing "significant technical hurdles," it reported. The company also opposed greater consumer power to take legal action against companies over data breaches, the publication wrote.
