Optus Hacker releases data of 10,000 customers

The hacker behind Optus’ last week’s data breach has now released the information of 10,000 customers and plans to release 10,000 more every day for the four days that Optus has to reply to the hackers. The attacker had demanded a ransom of $1,000,000 and given Optus a week to make its decision. 

The #Optus hacker has released 10k records, and claims that another 10k will be released each day for the next 4 days. 1/2 pic.twitter.com/Nm07oQhMZl

— Brett Callow (@BrettCallow) September 26, 2022

The leaked data is also on sale, albeit reserved for a week for Optus to reply. Hackers behind the attack have priced the data at $150,000 for user data and $200,000 for the US addresses with an exclusive data sale coming in at the same price as Optus’ ransom. 

While Optus tries to reach out to the 2.8 million customers whose sensitive information has been leaked, the company is facing mounting pressure from the government and customers alike accusing the company of communicating poorly and not having adequate security measures in place. 

Clare O’Neil, Australia’s minister for Home Affairs and Cybersecurity also disputed Optus’ claim that the attack was rather advanced, calling the incident “quite a basic hack” instead. She also went on to state that the data taken effectively amounts to 100 points of ID check, putting the 2.8 million users whose sensitive data was leaked significantly vulnerable to identity theft and fraud.

Minister for Cyber Security @ClareONeilMP says Australia is "probably a decade behind" in privacy protections, and the government "has to be involved when the stakes are this high" following Optus' cyber security breach. Watch her full interview with Laura Tingle below. #abc730 pic.twitter.com/Mk791iOehl

— abc730 (@abc730) September 26, 2022

Nearly 9.8 million Australians’ basic personal information has been exposed in this attack, including the 2.8 million whose exclusive personal data like driving license and passport numbers have also been leaked. 

The company’s claims of the attack being quite advanced have also been heavily disputed. Journalist Jeremy Kirk spoke with the alleged hacker behind the incident and found that the attacker gained access using an unauthenticated API endpoint. Kirk was also contacted by a second, separate source claiming that the hacker’s version of events is approximately correct.

The Optus hacker says they accessed an unauthenticated API endpoint. This means they didn't have to login. The person says: "No authenticate needed. That is bad access control. All open to internet for any one to use." #infosec #auspol pic.twitter.com/l89O8w1oCO

— Jeremy Kirk (@[email protected]) (@Jeremy_Kirk) September 24, 2022

As a general security practice, APIs aren’t exposed to the public internet, let alone left unauthenticated. If what the attacker claims is true, it indicates extremely careless behaviour on Optus’ part. 

In the News: Cloudflare is launching a ‘zero-trust’ eSIM