New feature: Automated API Discovery from Source Code. Get Access

New feature: Automated API Discovery from Source Code. Get Access

New feature: Automated API Discovery from Source Code. Get Access

Optus Data Breach : What Happened And How Akto Can Help?

Learn how Optus, the second-largest telecommunications provider in Australia had API security breach.

Jaydev Ahire

4 min read

Optus breach
Optus breach
Optus breach

As many of us know, the world is in an age of data breaches. We've all heard stories of big companies getting hacked and having their data wiped away. But what happens to these companies if they are caught unaware? Well, Optus had one of those incidents, and it caused a massive data breach that caused some serious issues. 

What happened at Optus Data Breach?

Optus is the second-largest telecommunications provider in Australia. Over 9.8 million customer records were exposed in the Optus data breach on 22nd September. These records included customers' names, physical and email addresses, birth dates, and in some cases, government-issued identification numbers such as driver's licenses and passport numbers. Optus hasn't provided many details up to this point, but there's much to consider.

Optus said that out of its 9.8 million customers, 1.2 million had at least one number from an active and valid form of personal identification information that was exposed in the breach. Optus claimed to have gotten in touch with these clients and advised them to update their IDs. Optus tried to classify the cyberattack as ‘sophisticated,’ but actually, the attack was a ‘basic’ attack Australian Minister for Cybersecurity Clare O'Neil

What caused the massive data breach?

As per reports, the API used during testing was unknowingly exposed to the attackers, which was the primary cause of this attack. The API's exposure wasn't only bad enough, the API endpoint didn't have any authentication or authorization mechanism, which means anyone could request the endpoint without any authentication ID or authorization token.

Lastly, the ID number of customers was enumerable like 1,2,3, and so on... Instead of UUID, which is hard to guess. The lack of these basic security precautions cost Optus a massive data breach.

Monthly product updates in your inbox. No spam.

Monthly product updates in your inbox. No spam.

Monthly product updates in your inbox. No spam.

The Highlights:

  1. API used during testing got exposed.

  2. API had no Authentication or Authorization mechanisms.

  3. API had no rate-limiting that allowed attackers to send a large number of requests to retrieve data.

  4. Customer IDs were stored in a weak format instead of the UUID mechanism, which allowed attackers to easily guess and request millions of records.

How to prevent such Data Breaches?

  1. Always maintain an updated inventory of your APIs and know what sensitive data is being passed in request and response.

  2. Keep a check if an unauthenticated API is exposed to the public and sends sensitive data in response. Use a continuous testing and monitoring tool which sends alerts when this happens.

  3. Limit access to your company’s data and allow it on a role-and-needs basis. For example: Even if a supervisor supervises an entire division, he (she) might not require access to all kinds of confidential information. 

  4. Use API security tools such as Akto to prevent data breaches. Once you deploy Akto, it will discover all your endpoints, create continuous inventory, and alert if it finds an unauthenticated API exposing sensitive data through continuous testing and monitoring.

Want to ask something?

Our community offers a network of support and resources. You can ask any question there and will get a reply in 24 hours.

Want to ask something?

Our community offers a network of support and resources. You can ask any question there and will get a reply in 24 hours.

Want to ask something?

Our community offers a network of support and resources. You can ask any question there and will get a reply in 24 hours.

Follow us for more updates

Experience enterprise-grade API Security solution