The Optus Hacker Allegedly Wants $1 Million In Crypto To Not Sell Customer Information
"So basically the greatest data heist in history is worth less than a 2-bedroom apartment in Petersham."
Australian telecommunications company Optus is dealing with a hostage situation after a hacker claiming responsibility for last week’s data breach allegedly offered to ransom the stolen data back to the company.
A hacker claiming to have stolen customer information including passport details, personal addresses, and driver’s license data from over 10 million Optus customers has told journalists they’re seeking a ransom of $1 million in cryptocurrency, and are threatening to sell the data in parcels if the telco refuses.
The Optus hacker apparently wants $1 million, so basically the greatest data heist in history is worth less than a 2-bedroom apartment in Petersham.
— Byron Kaye (@byronkaye) September 24, 2022
Speaking to a data journalist from Bank Info Security, the alleged hacker also claimed to have executed the data breach by simply accessing an API address that had no username or password restrictions, but was still, miraculously, connected to the Optus customer database.
Put simply, the hacker basically bypassed a modern home security system because someone left the backdoor unlocked.
“No authenticate needed. That is bad access control. All open to internet for any one to use,” the alleged hacker told Bank Info Security.
The Optus hacker says they accessed an unauthenticated API endpoint. This means they didn’t have to login. The person says: “No authenticate needed. That is bad access control. All open to internet for any one to use.” #infosec #auspol pic.twitter.com/l89O8w1oCO
— Jeremy Kirk (@Jeremy_Kirk) September 24, 2022
Historic Optus customers from as far back as 2017 could have been affected by the breach, due to privacy legislation that allows telecommunications companies to keep user data for up to six years.
While Optus Chief Executive Kelly Bayer Rosmarin claimed on Friday that 9.8 million customers could be affected in the “worst case scenario”, the hacker claims to have stolen the customer details of 11.8 million people.
You can check if you have been affected by the hack by accessing Have I Been Pwned, a website that cross-references your email address with major data leaks.