Discover and read the best of Twitter Threads about #OptusHack

Most recents (7)

Re #OptusHack: as a software engineer, it frustrates me the media is reporting it as a sophisticated attack. It was not. It was equivalent to leaving your front door unlocked with a sign that says valuables inside. They failed at really basic stuff. I'll explain it simply. 1/6
Servers typically use an "API" to load data and add functionality to the user interface. When you login, tap on a like button, try to load your profile page etc. the app or web browser sends a request to an API to complete that action or retrieve that data. 2/6
Any API that exposes personal information should be protected behind authentication (like a username & password). In the case of the #optushack, it has been reported that one of their APIs that could retrieve personal information DID NOT REQUIRE any authentication whatsoever. 3/6
Read 7 tweets
Here are some technical observations related to the Optus breach. This gets into the technical weeds, but it’s important for understanding how this breach may have happened. I’ll try to make it as comprehensible as possible. #optushack #auspol #infosec
Some information is based on public data. The analysis comes from information security experts, whom I appreciate reaching out to me. 😉
We know that the breach occurred because the Optus hacker abused an application programming interface (API) which was api[dot]optus.com.au. As we know, that API was left open on the internet.
Read 14 tweets
Bad news. The Optus hacker has released 10,000 customer records and says a 10K batch will be released every day over the next four days if Optus doesn't give into the extortion demand. #OptusDataBreach #optushack #auspol #infosec
Quick observation on this new data. It appears Medicare numbers may be exposed for some people. Redacted screenshot below. #Optus #OptusDataBreach
The word "Medicare" appears 55 times across these records.
Read 12 tweets
I’ve got a lot of mixed feelings on this: google.com/amp/s/amp.abc.…
Firstly, good stuff re earlier notification. Data such as what was exposed by the #OptusHack is most valuable when it’s freshest because impacted parties aren’t aware and haven’t taken appropriate action.
But banks are only a small part of the picture and arguably, much more damage is done when email and social accounts are compromised. But there’s not the same regulatory controls over them and it’s easier to quantify financial loss rather than privacy loss.
Read 9 tweets
Let's pop the hood on the #OptusHack (A thread)
Thanks to people like @Jeremy_Kirk we at least know the domain of the hacked/vulnerable API api.www.optus.com.au
I was digging using two different starting points, which I will break down below 👇
Read 20 tweets
UPDATE: I reached the person who claims to have hacked Optus. I've also been contacted by a second, separate source who says the hacker's version of events is approximately correct. Here's what they said. #OptusHack #infosec #auspol
The Optus hacker says they accessed an unauthenticated API endpoint. This means they didn't have to login. The person says: "No authenticate needed. That is bad access control. All open to internet for any one to use." #infosec #auspol Image
The API endpoint was api[dot]optus.com.au. Yes, that looks weird, but the hacker says it worked otherwise a DNS error occurred. That API is now offline, so there is no more risk for Optus. It was used in part to let Optus customers access their own data. Image
Read 7 tweets
Someone is claiming to have the stolen Optus account data for 11.2 million users. They want $1 million in the Monero cryptocurrency from Optus to not sell the data to other people. Otherwise, they say they will sell it in parcels. #optus #auspol #infosec #OptusHack
The person who runs this data market where the Optus data was posted says the data is real (I have not verified the data yet). The person writes that "optusdata" showed the script used to scrape the data and passed along info about the vulnerable endpoint. #infosec #OptusHack
I've run 10 email addresses from the second sample of the Optus data through @haveibeenpwned. Nine have been in multiple data breaches before, but one is unique to this sample. That's a strong sign this leak is the real deal.
Read 12 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!