ShopBack

In September 2020 the Singapore based rewards and cashback platform ShopBack suffered a significant data breach. The incident originated from unauthorized access to the company servers which were hosted on a third party cloud environment. The compromised data included sensitive personal information belonging to approximately 5.7 million customers globally although initial reports estimated 4.6 million records. The exposed database contained email addresses and passwords stored as unsalted SHA-1 hashes which are considered insecure and easily reversible. Additionally user names and phone numbers were part of the exposed dataset. ShopBack notified users and forced a password reset to mitigate the risk of account takeover attacks.