Type
Incident
Actors
Pub. date
September 21, 2022
Initial access
API vulnerability
Impact
Data exfiltration
References
https://www.bankinfosecurity.com/optus-under-1-million-extortion-threat-in-data-breach-a-20142https://twitter.com/Jeremy_Kirk/status/1573652986437726208https://blog.shiftleft.io/the-optus-breach-how-bad-code-keeps-happening-to-good-companies-189bb11bcf42https://www.optus.com.au/about/media-centre/media-releases/2022/09/optus-notifies-customers-of-cyberattackhttps://securityboulevard.com/2022/10/owasp-api-vulnerabilities-exploited-to-bypass-api-security/https://nonamesecurity.com/learn-api-01-broken-object-level-authorization
Status
Finalized
Last edited
Jun 2, 2024 11:56 AM
A hacker reportedly stole ~11mil records of customer PII (dated 2017) from Optus, an Australian telco company. The data was disclosed and put on sale in late September 22’. According to information obtained by a reporter who claimed to be in contact with the hacker, the root cause was an unintentionally publicly exposed Apigee API endpoint, which was misconfigured to allow unauthenticated access.
