If You Have a ShopBack Account, Change Your Password Now

ShopBack, a cash reward platform that is used by over 5 million customers in the Asia-Pacific region, suffered a cyberattack and is now urging all its users to change their passwords as soon as possible.

The platform sent an email to all its customers, informing them of "unauthorized access" to their systems that contain customer personal data. The notification email stated that the company was still going through the process of identifying what sort and volume of data was accessed by the bad actors. The same email urged users to immediately change their passwords to avoid any potential misuse of their accounts. The company stated that cybersecurity experts have been hired to assess and deal with the breach, as well as help enhance the platform's security in the future.

Even though ShopBack claims user passwords are securely encrypted, the warning should not be ignored and any platform users should change their password as soon as they can. Customers can change their passwords using the website's "forgotten password" functionality and create a new password for their account. Additionally, ShopBack urged users to make use of the platform's multi-factor authentication, in the form of phone confirmation notifications, to help make their accounts more secure.

The platform was collecting user names, emails, date of birth and bank account numbers. Even though there is no hard evidence that any of this information has been misused or resold anywhere on the dark web, the possibility always exists, given that the extent and the severity of the breach has not been fully assessed at this point in time.

While a hack that leaks passwords leaves users with nothing to do except act fast and hope for the best, it is still worth following good practices when creating passwords for any website or service. First and foremost, it's a great idea to use a different password for each separate login. This makes it impossible for a single leak or hack to give bad actors access to all your accounts across multiple platforms. Secondly, it's always worth it to use a strong, complex and relatively long password.

Many platforms these days require at least a dozen characters and some demand a mix of letters, symbols and numbers to validate a password, effectively enforcing good password practices. Mixing upper and lowercase letters with those special symbols and digits vastly expands the number of combinations and makes brute-forcing such a password much harder. This relative complexity of password strings and keeping track of multiple passwords can seem like a chore, but the tradeoff of improved security is well worth it.