Discover and read the best of Twitter Threads about #optusdatabreach
Most recents (3)
Re #OptusHack: as a software engineer, it frustrates me the media is reporting it as a sophisticated attack. It was not. It was equivalent to leaving your front door unlocked with a sign that says valuables inside. They failed at really basic stuff. I'll explain it simply. 1/6
Servers typically use an "API" to load data and add functionality to the user interface. When you login, tap on a like button, try to load your profile page etc. the app or web browser sends a request to an API to complete that action or retrieve that data. 2/6
Any API that exposes personal information should be protected behind authentication (like a username & password). In the case of the #optushack, it has been reported that one of their APIs that could retrieve personal information DID NOT REQUIRE any authentication whatsoever. 3/6
Here are some technical observations related to the Optus breach. This gets into the technical weeds, but itβs important for understanding how this breach may have happened. Iβll try to make it as comprehensible as possible. #optushack #auspol #infosec
Some information is based on public data. The analysis comes from information security experts, whom I appreciate reaching out to me. π
We know that the breach occurred because the Optus hacker abused an application programming interface (API) which was api[dot]optus.com.au. As we know, that API was left open on the internet.
Bad news. The Optus hacker has released 10,000 customer records and says a 10K batch will be released every day over the next four days if Optus doesn't give into the extortion demand. #OptusDataBreach #optushack #auspol #infosec 
Quick observation on this new data. It appears Medicare numbers may be exposed for some people. Redacted screenshot below. #Optus #OptusDataBreach
The word "Medicare" appears 55 times across these records.
