Optus suffers a massive data breach.
03 October 2022BREACHAWARE HQ
A total of 8 breach events
were found and analysed resulting in 923,799 exposed accounts
containing a total of 16 different data types of personal datum
. The breaches found publicly and freely available included Clash of Clans Update (2), Swachh City, Fed Bank, Lime VPN Update (2) and Involade CC. Sign in to view the full
library of breach events which includes, where available, reference articles relating to
each breach.
Categories of Personal Data Discovered
Contact Data, Technical Data, Socia-Demographic Data, National Identifiers, Transactional Data, Social Relationships Data.
Data Breach Analysis
Clash of Clans Update: Related to user activity and integrations surrounding one of the world’s most popular mobile games, these breaches carry significant risks of targeted phishing and social engineering. Since players often connect game accounts to social media or use in-game purchases, exposed credentials or identifiers can be leveraged to access broader digital ecosystems or extract value via micro-transactions.Swachh City: A platform aligned with civic engagement and urban cleanliness in India, this breach brings public service data into focus. The exposure here may affect citizens and government workers alike, potentially enabling location-based profiling or misuse of public reporting mechanisms. It also risks undermining trust in digital civic initiatives aimed at urban development.
Fed Bank: Although specific operational details are not public, any incident involving a financial institution raises alarms. Breaches associated with banks, even indirectly, can be weaponised for identity theft, account takeover attempts, or phishing schemes that exploit the brand’s trust with customers.
Lime VPN Update: With VPN services expected to secure user anonymity and data privacy, breaches here are especially damaging. If account-related information or service usage logs were exposed, users could be unmasked or surveilled, defeating the very purpose of using a VPN. Trust in secure browsing tools diminishes significantly in the wake of such events.
Involade CC: A less known but evidently affected platform, the exposure here adds to the growing list of niche services facing breaches without sufficient infrastructure for response or mitigation. These platforms often lack incident transparency and user support following such incidents.
Collectively, these incidents point to a persistent problem: organisations across sectors are struggling to secure user data, whether from gaming communities, civic apps, or privacy-focused tools. For individuals, the consequences include an increased likelihood of credential reuse attacks, identity fraud, and the erosion of digital trust. For affected organisations, these breaches may translate into regulatory scrutiny, reputational damage, and user attrition.
As threat actors increasingly target platforms with inconsistent security practices, proactive monitoring, prompt disclosures, and robust encryption must become standard, regardless of company size or user base.
Spotlight
A gold investing site has suffered a data breach resulting in information about their whole user-base being dumped online. With around 20,000 unique accounts and a variety of sensitive information, this breach becomes a little more serious. Driving licence numbers, physical addresses, and full names are just three of the datasets worth noting. The company has been trading since 2010 and "is poised to emerge as a relevant player".A well-known VPN provider who suffered a data breach last year has seen their breach data come back into circulation. When a backup server was hacked, email addresses, usernames, and VPN transaction information were exposed. Links on the darker parts of the internet had all dried up until recently, when someone posted a fresh link with all the data.
Australia's second largest telecommunications company, Optus, has recently suffered a massive data breach, resulting in over 1 million users being affected. The hacker posted a request on a popular hacking forum requesting a million dollars. However, he or she seems to have changed their mind because the hacker deleted the thread and posted a new one explaining that the data was not for sale and said "Deepest apology to Optus for this. Hope all goes well from here." Either Optus paid the hacker or he/she’s got cold feet. Optus, which was founded in 1981, had over 10 million users in 2019. The sample data included physical addresses, names, and gender.