A few days after the Optus data breach attack had been announced to the public, cybersecurity researchers discovered that the threat actors behind it had requested $1 million from the Australian telecom firm to prevent the stolen customer data from being sold online, although eventually withdrawing their malicious plans.
Upon monitoring the dark web for the latest development in this issue, it became known that the threat actor “Optusdata” had published two samples of Optus’ stolen data on an underground leak forum. The hacker demanded $1 million for ransom in exchange for the safety of the stolen data from being sold, adding that the telecom firm only had one week for this negotiation.
However, on September 27, the hacker published an update, stating that they are backing out from extorting Optus and have apologised to the firm and its customers for the trouble it has caused. Optusdata had also taken down the database in which the compromised data samples are stored.
While there is no further update yet from Optus, the firm said that they are still investigating the sample data’s legitimacy.
On the other hand, despite the original hackers backing out from the extortion, another threat actor was quick on their feet and posted the samples of the compromised data on their account, still posing a risk against all affected Optus customers.
An unauthenticated API might have instigated the Optus data breach.
According to recent reports, an Optus API for customer identity database opened for test network has internet access, likely causing the data breach. To verify this claim, researchers contacted the Optusdata threat actor, wherein they confirmed that the stolen data was collected from Optus’ unauthenticated API (api[.]www[.]optus.com.au).
This unsecured API, which is now closed, allowed the hackers to access Optus’ customer identity database without needing login credentials. However, the telecom firm stated that this API in question has been open to anyone on the internet. On the other hand, the threat actor said that even if that was the case, there must have been a DNS error occurred that allowed them to exfiltrate confidential customer data from the firm.
Furthermore, the ‘Optusdata’ hacker said that during their exfiltration of data from Optus, they used the “contactid” field in the customer records, sequentially accessing and downloading the customer records using the unauthenticated API. And even though their process has triggered suspicious behaviour from Optus’ end, they seemed to successfully collect the data they needed to extort a huge amount from the affected telecom firm.
Optus has yet to comment on this issue. However, since the threat of data exposure has concerned several of their clients, the firm advised them to be wary of cyberattacks, such as fraudulent messages from hackers.
Moreover, Optus’ customers must be cautious as other hackers were able to collect copies of compromised data samples despite the original hacker’s withdrawal, exposing them to potential cyberattacks.
Reports also underline that the telecom firm will face regulatory inquiries regarding its data handling and security procedures. The amount of affected customers in the Optus data breach indicates that the firm will be on the hot seat. However, they have previously opposed a protocol for legal action against companies over data breach incidents.