Are you a ShopBack user? Find out if your account was affected by data breach


Affected users are advised to change the passwords on their breached accounts and enable two-factor authentication. — 123rf.com

ShopBack users can now check if their accounts have been compromised as a result of a previously disclosed data breach incident.

To find out, users simply need to key in the email address they used to register for the cashback reward service on the Have I Been Pwned website.

The popular online cybersecurity tool said it has added more than 20 million accounts belonging to ShopBack users that have been exposed in a data breach incident, which the company had previously announced in September 2020.

The website claimed the breach exposed information such as “unique email addresses along with names, phone numbers, country of residence, passwords stored as salted SHA-1 hashes (a form of password encryption)”.

It added that the data was provided by DeHashed, a hacked-database search engine.

On the Have I Been Pwned website, affected Shopback users will see results indicating how their data was impacted, with details of the incident and type of compromised data listed.

The website advised affected users to immediately change the passwords on their breached accounts and enable two-factor authentication.

ShopBack said it became aware of an incident involving unauthorised access into its system which contained its customers’ personal data on Sept 17, 2020. The company stated that the unauthorised access was removed and that it had engaged cybersecurity specialists to enhance security measures.

At the time, it said investigations were ongoing and the company was in the process of confirming which data had been compromised. It also said that the incident did not affect users’ Cashback balances.

Subsequently, the Department of Personal Data Protection (JPDP) announced that it would be seeking feedback from ShopBack to find out how many Malaysians may have been affected by the incident.

In an announcement released in November 2020, the company said it was aware of another party posting customers’ data – obtained from the breach in September – online, adding that the data does not contain any credit card details. As a precautionary measure, the company said it would be triggering forced logout and password reset for customers.

In the last update published on Dec 7, 2020, the company informed customers that it had invalidated unchanged passwords, completed forced logout and requested users to change their passwords to protect their accounts.

The company added that it will continue to cooperate with the JPDP, and encouraged customers with additional questions to email them for further clarification.

Article type: free
User access status:
Subscribe now to our Premium Plan for an ad-free and unlimited reading experience!
   

Next In Tech News

Elon Musk and Twitter dig for evidence as trial looms
Elon Musk seeks to narrow SEC consent decree, end pre-approval of tweets
Tencent’s China Literature ends Kindle-like ereader service as Big Tech firms pull back on unprofitable businesses
Elon Musk asks appeals court to end his 'Twitter sitter' deal
Shenzhen aims to become global esports hub by promising cash rewards, subsidies to gamers
Netflix sets up�first internal studio to develop�video games
Nanomaterial found to reduce cancer stem cells in rats, Chinese study finds
Podcasters are buying millions of listeners through mobile-game ads
Cyber warfare rife in Ukraine, but impact stays in shadows
You can now disable PayDirect on your Touch ‘n Go ewallet

Others Also Read