Optus incident

Type

Incident

Actors

❓Unknown

Pub. date

September 21, 2022

Initial access

API vulnerability

Impact

Data exfiltration

References

https://www.bankinfosecurity.com/optus-under-1-million-extortion-threat-in-data-breach-a-20142https://twitter.com/Jeremy_Kirk/status/1573652986437726208https://blog.shiftleft.io/the-optus-breach-how-bad-code-keeps-happening-to-good-companies-189bb11bcf42https://www.optus.com.au/about/media-centre/media-releases/2022/09/optus-notifies-customers-of-cyberattackhttps://securityboulevard.com/2022/10/owasp-api-vulnerabilities-exploited-to-bypass-api-security/https://nonamesecurity.com/learn-api-01-broken-object-level-authorization

Status

Finalized

Last edited

Jun 2, 2024 11:56 AM

A hacker reportedly stole ~11mil records of customer PII (dated 2017) from Optus, an Australian telco company. The data was disclosed and put on sale in late September 22’. According to information obtained by a reporter who claimed to be in contact with the hacker, the root cause was an unintentionally publicly exposed Apigee API endpoint, which was misconfigured to allow unauthenticated access.