Bad Valentines for Optus, As Sim Activation System Got Hacked
It was a bad Valentines day for Optus, a mainstream telecom firm operating in Australia, as the company’s account website and pre-paid mobile SIM activation system were successfully breached by an unknown user named ‘Vladmir’ or ‘Sarah.’ Some customers claimed that they can view the customer information of someone else contacts details and personal data the moment they tried to activate their pre-paid mobile SIM card. This ‘cross access’ can only happen if something went wrong with the account database that Optus is using in order to authenticate users with their pre-paid SIMs.
“I tried to activate a $30 sim, and the first time I did it seemed to go through OK – except for when I clicked on the review your order button. All the details were wrong, the sim number, the name, and address – the person must have been transferring their number over, so it also had someone else’s phone number,” explained Luke Elson, a pre-paid customer of Optus.
Another upset customer named Liz Brandon mentioned that her attempt to choosing a mobile number of conflicts with other customers. “I was suddenly confronted with pre-filled data that obviously belonged to someone else. I have someone’s name and birthday showing – he/she was born after 2000. I was given [a] full name, birthday, email and physical address for this other person,” said Brandon.
The same SIM card activation glitch is also encountered by another customer named Matthew Glover. “So apparently if you activate a new prepaid sim card with Optus at the exact same time as 17 other people all their activation emails get sent to you and you still don’t get to activate your own damn sim,” emphasized Glover.
More customers went to social media platforms in order to raise their concerns, some are the following:
Hey @Optus I just got an email saying my latest bill is ready. It’s $300. It should be less than $100 as my usual plan. I logged into my account and it said “Hi Vladamir”. I have a screenshot. What’s the go??!
— Sucheta (@sgorolay) February 14, 2019
Yo someone tell @optus some shit is going down with My Account. Page refreshes every 2 seconds and when I managed to click into my account (chrome auto fills my deets) I was Vladimir? Yea i ain’t Vladimir pic.twitter.com/m1h2OMNLdY
— 🎄 Tommy 🎄 (@ShiftyChips) February 14, 2019
@Optus Optus, I just logged into MyAccount to check my bill, and I was automatically logged in as a different customer – with their name, mobile number and account number in plain view for me to see. This is a massive breach of privacy and I wonder if this has happened to me? DM
— Daniel Grallelis (@dangerelis) February 13, 2019
why my optus account say vladimir
— Aus Gov Just Googled (@GovGoogles)
Many customers also receive weird billing-related emails from Optus, prompting them being as Valdmir or Sarah, which are hints that the database used by Optus to maintain customer records is misbehaving.
On their end, Optus has issued a public apology: “We are currently looking into the issue and if required will firstly contact any customers who may have been affected.”
Kevin Jones743 Posts
Kevin Jones, Ph.D., is a research associate and a Cyber Security Author with experience in Penetration Testing, Vulnerability Assessments, Monitoring solutions, Surveillance and Offensive technologies etc. Currently, he is a freelance writer on latest security news and other happenings. He has authored numerous articles and exploits which can be found on popular sites like hackercombat.com and others.