Discover and read the best of Twitter Threads about #optushack
Most recents (7)
Re #OptusHack: as a software engineer, it frustrates me the media is reporting it as a sophisticated attack. It was not. It was equivalent to leaving your front door unlocked with a sign that says valuables inside. They failed at really basic stuff. I'll explain it simply. 1/6
Servers typically use an "API" to load data and add functionality to the user interface. When you login, tap on a like button, try to load your profile page etc. the app or web browser sends a request to an API to complete that action or retrieve that data. 2/6
Any API that exposes personal information should be protected behind authentication (like a username & password). In the case of the #optushack, it has been reported that one of their APIs that could retrieve personal information DID NOT REQUIRE any authentication whatsoever. 3/6
Here are some technical observations related to the Optus breach. This gets into the technical weeds, but it’s important for understanding how this breach may have happened. I’ll try to make it as comprehensible as possible. #optushack #auspol #infosec
Some information is based on public data. The analysis comes from information security experts, whom I appreciate reaching out to me. 😉
We know that the breach occurred because the Optus hacker abused an application programming interface (API) which was api[dot]optus.com.au. As we know, that API was left open on the internet.
Bad news. The Optus hacker has released 10,000 customer records and says a 10K batch will be released every day over the next four days if Optus doesn't give into the extortion demand. #OptusDataBreach #optushack #auspol #infosec 
Quick observation on this new data. It appears Medicare numbers may be exposed for some people. Redacted screenshot below. #Optus #OptusDataBreach
The word "Medicare" appears 55 times across these records.
I’ve got a lot of mixed feelings on this: google.com/amp/s/amp.abc.…
Firstly, good stuff re earlier notification. Data such as what was exposed by the #OptusHack is most valuable when it’s freshest because impacted parties aren’t aware and haven’t taken appropriate action.
But banks are only a small part of the picture and arguably, much more damage is done when email and social accounts are compromised. But there’s not the same regulatory controls over them and it’s easier to quantify financial loss rather than privacy loss.
Let's pop the hood on the #OptusHack (A thread)
Thanks to people like @Jeremy_Kirk we at least know the domain of the hacked/vulnerable API api.www.optus.com.au
I was digging using two different starting points, which I will break down below 👇
UPDATE: I reached the person who claims to have hacked Optus. I've also been contacted by a second, separate source who says the hacker's version of events is approximately correct. Here's what they said. #OptusHack #infosec #auspol
The Optus hacker says they accessed an unauthenticated API endpoint. This means they didn't have to login. The person says: "No authenticate needed. That is bad access control. All open to internet for any one to use." #infosec #auspol
The API endpoint was api[dot]optus.com.au. Yes, that looks weird, but the hacker says it worked otherwise a DNS error occurred. That API is now offline, so there is no more risk for Optus. It was used in part to let Optus customers access their own data.
Someone is claiming to have the stolen Optus account data for 11.2 million users. They want $1 million in the Monero cryptocurrency from Optus to not sell the data to other people. Otherwise, they say they will sell it in parcels. #optus #auspol #infosec #OptusHack
The person who runs this data market where the Optus data was posted says the data is real (I have not verified the data yet). The person writes that "optusdata" showed the script used to scrape the data and passed along info about the vulnerable endpoint. #infosec #OptusHack
I've run 10 email addresses from the second sample of the Optus data through @haveibeenpwned. Nine have been in multiple data breaches before, but one is unique to this sample. That's a strong sign this leak is the real deal.
