Are you a ShopBack user? Find out if your account was affected by data breach

Affected users are advised to change the passwords on their breached accounts and enable two-factor authentication. —

ShopBack users can now check if their accounts have been compromised as a result of a previously disclosed data breach incident.

To find out, users simply need to key in the email address they used to register for the cashback reward service on the Have I Been Pwned website.

The popular online cybersecurity tool said it has added more than 20 million accounts belonging to ShopBack users that have been exposed in a data breach incident, which the company had previously announced in September 2020.

The website claimed the breach exposed information such as “unique email addresses along with names, phone numbers, country of residence, passwords stored as salted SHA-1 hashes (a form of password encryption)”.

It added that the data was provided by DeHashed, a hacked-database search engine.

On the Have I Been Pwned website, affected Shopback users will see results indicating how their data was impacted, with details of the incident and type of compromised data listed.

The website advised affected users to immediately change the passwords on their breached accounts and enable two-factor authentication.

ShopBack said it became aware of an incident involving unauthorised access into its system which contained its customers’ personal data on Sept 17, 2020. The company stated that the unauthorised access was removed and that it had engaged cybersecurity specialists to enhance security measures.

At the time, it said investigations were ongoing and the company was in the process of confirming which data had been compromised. It also said that the incident did not affect users’ Cashback balances.

Subsequently, the Department of Personal Data Protection (JPDP) announced that it would be seeking feedback from ShopBack to find out how many Malaysians may have been affected by the incident.

In an announcement released in November 2020, the company said it was aware of another party posting customers’ data – obtained from the breach in September – online, adding that the data does not contain any credit card details. As a precautionary measure, the company said it would be triggering forced logout and password reset for customers.

In the last update published on Dec 7, 2020, the company informed customers that it had invalidated unchanged passwords, completed forced logout and requested users to change their passwords to protect their accounts.

The company added that it will continue to cooperate with the JPDP, and encouraged customers with additional questions to email them for further clarification.

Article type: free
User access status:
Join our Telegram channel to get our Evening Alerts and breaking news highlights

Next In Tech News

FBI Director Wray urges companies stop paying ransoms to hackers
National antitrust watchdogs want more say in enforcing EU tech rules
French court sets date in Apple case over App Store developer contracts
Brazilian Senate to hear Google, Facebook, Twitter in pandemic probe
Software startup Sprinklr shares fall in NYSE debut, valued at $3.7 billion
El Salvador bitcoin plan "bulletproof", president says
CD Projekt continues to improve Cyberpunk after Sony store comeback
Spain High Court allows John McAfee's extradition to the U.S
EA buys 'Golf Clash' creator Playdemic for $1.4 billion
Mediaset investors agree to move company legal base to the Netherlands

Stories You'll Enjoy