Bad news. The Optus hacker has released 10,000 customer records and says a 10K batch will be released every day over the next four days if Optus doesn't give into the extortion demand. #OptusDataBreach#optushack#auspol#infosec
Quick observation on this new data. It appears Medicare numbers may be exposed for some people. Redacted screenshot below. #Optus#OptusDataBreach
The word "Medicare" appears 55 times across these records.
About 45 minutes ago, the Optus hacker sent me a private message from the account where the original three data samples were posted. The person sent a link to that new thread we are seeing. So yes, it appears to be legitimate as in done by the same person. #OptusHack#auspol
The old post is now deleted. The data samples are gone. Here is the new post (ht to @allyjfoster for sending it to me while I was out getting cat food).
Many questions around this: Why has this person seemingly changed their mind? Can we trust this person now? What does this person mean by writing about not being able to delete the data from the drive? #optushack#auspol
Spot analysis: If this holds and no more Optus customer data is released on this website, this is best outcome for what was becoming an even more awful situation. But it is one in which we should have firstly never been in. #OptusHack#auspol
Also: This doesn't change the risk for anyone exposed. The Optus data has been stolen, and we can't trust this person. No guard should be let down: monitor your credit, watch out for dodgy SMS/emails and follow the good advice at cyber.gov.au#infosec#OptusHack
UPDATE: The original data samples are gone, but other people on that forum have copied the data are distributing it. This is disappointing of course and means that those 10,200 Optus users in these three data samples would be at an immediate heightened risk of fraud, ID theft.
Does anyone know if Optus has a vulnerability disclosure program or a bug bounty program? The Optus hacker claims they might have reported the API security problem if Optus was easier to contact.
This is a pretty flimsy rationale of course for deciding instead to launch a million-dollar extortion campaign against Optus but here we are.
For those of you who have managed to make it to the end of this thread, I've wrapped all of this up into a story here: bankinfosecurity.com/optus-attacker…
• • •
Missing some Tweet in this thread? You can try to
force a refresh
UPDATE: I reached the person who claims to have hacked Optus. I've also been contacted by a second, separate source who says the hacker's version of events is approximately correct. Here's what they said. #OptusHack#infosec#auspol
The Optus hacker says they accessed an unauthenticated API endpoint. This means they didn't have to login. The person says: "No authenticate needed. That is bad access control. All open to internet for any one to use." #infosec#auspol
The API endpoint was api[dot]optus.com.au. Yes, that looks weird, but the hacker says it worked otherwise a DNS error occurred. That API is now offline, so there is no more risk for Optus. It was used in part to let Optus customers access their own data.
Someone is claiming to have the stolen Optus account data for 11.2 million users. They want $1 million in the Monero cryptocurrency from Optus to not sell the data to other people. Otherwise, they say they will sell it in parcels. #optus#auspol#infosec#OptusHack
The person who runs this data market where the Optus data was posted says the data is real (I have not verified the data yet). The person writes that "optusdata" showed the script used to scrape the data and passed along info about the vulnerable endpoint. #infosec#OptusHack
I've run 10 email addresses from the second sample of the Optus data through @haveibeenpwned. Nine have been in multiple data breaches before, but one is unique to this sample. That's a strong sign this leak is the real deal.
I broke this story about Instagram exposing kids' contact details in June 2019 based on the terrific research by @davidjstier (original story in next tweet). Now, Ireland's data protection authority will fine IG a record €405 million over it. #infosecwashingtonpost.com/business/2022/…
The situation was essentially an intentional data breach. It boggled the mind. Here's the original story: Instagram Shows Kids' Contact Details in Plain Sight databreachtoday.com/instagram-show…
The story was crazy. Instagram let minors covert their profiles to business profiles, which then automatically exposed details such as email address, phone numbers. Plus, all photos became automatically public.
Bypassing MFA at a big scale may be possible with "EvilProxy" a cybercriminal service discovered by @RESecurity. It uses a reverse proxy to nab session cookies, a technique that's been used before but now is wrapped in a slick phishing kit. Yikes. #infosecdatabreachtoday.com/cybercriminal-…
It is already being used against employees at Fortune 500 companies, says Resecurity's Gene Yoo. It targets services including Apple, Microsoft, Dropbox, LinkedIn, Yandex, Facebook, Twitter, Yahoo, Wordpress.
It's also capable of phishing players in the software supply chain, including GitHub, the Python Package Index, RubyGems and NPMJS. Suggests it could be aimed at helping crims tamper or install backdoors in software packages.
There may be more clarity around the mystery surrounding how the decryption key for the ransomware used in the Kaseya attack leaked. It kicked off with @FlashpointIntel recounting a confusing post on Exploit that implied law enforcement was involved in gaining the key.
The original post on Exploit by REvil said the decryption key "was leaked by law enforcement agencies due to human error during the key generation process." It was speculated US or Russian LE might have had something to do with the key's appearance.
The Shanghai PSB database is so odd. Aside from Uyghur tracking, personal info of random Westerners who entered China, there are mundane police blotter reports -- an accident involving a van and a bicycle (see screenshot), theft of old power meters. Why is it all mashed together?
And why is the _index for all this stuff labelled in English "uighurterrorist" when literally everything else - except for Westerner names who crossed the border - is in Mandarin?
There has been excellent reporting by @seanrubinsztein and @hui_echo about who is in the database. This may be unanswerable, but how does data from at least two Chinese security agencies end up in an open Elasticsearch database on Alibaba's cloud where anyone could find it?