ShopBack users can now check if their accounts have been compromised as a result of a previously disclosed data breach incident.

To find out, users simply need to key in the email address they used to register for the cashback reward service on the Have I Been Pwned website.

The popular online cybersecurity tool said it has added more than 20 million accounts belonging to ShopBack users that have been exposed in a data breach incident, which the company had previously announced in September 2020.

New breach: ShopBack had 20M email addresses breached in September. Data included names, phone numbers, country of residence and salted SHA-1 password hashes. 60% were already in @haveibeenpwned. Read more: https://t.co/jIT145Ipln

— Have I Been Pwned (@haveibeenpwned) April 25,2021

The website claimed the breach exposed information such as “unique email addresses along with names, phone numbers, country of residence, passwords stored as salted SHA-1 hashes (a form of password encryption)”.

It added that the data was provided by DeHashed, a hacked-database search engine.

On the Have I Been Pwned website, affected Shopback users will see results indicating how their data was impacted, with details of the incident and type of compromised data listed.

The website advised affected users to immediately change the passwords on their breached accounts and enable two-factor authentication.

ShopBack said it became aware of an incident involving unauthorised access into its system which contained its customers’ personal data on Sept 17, 2020. The company stated that the unauthorised access was removed and that it had engaged cybersecurity specialists to enhance security measures.

At the time, it said investigations were ongoing and the company was in the process of confirming which data had been compromised. It also said that the incident did not affect users’ Cashback balances.

Subsequently, the Department of Personal Data Protection (JPDP) announced that it would be seeking feedback from ShopBack to find out how many Malaysians may have been affected by the incident.

In an announcement released in November 2020, the company said it was aware of another party posting customers’ data – obtained from the breach in September – online, adding that the data does not contain any credit card details. As a precautionary measure, the company said it would be triggering forced logout and password reset for customers.

In the last update published on Dec 7, 2020, the company informed customers that it had invalidated unchanged passwords, completed forced logout and requested users to change their passwords to protect their accounts.

The company added that it will continue to cooperate with the JPDP, and encouraged customers with additional questions to email them for further clarification.