@taneb1

Whilst I'm skeptical, I'm glad there's been no PoC posted.

Can we have a security sub-forum?

An update to the original reddit post. https://www.reddit.com/r/newzealand/comments/1nb8osd/mercury_energy_customers_heads_up_your_data_is/

So looks like someone from Mercury is looking at it.

Was only after he went public with it tho..... and thats the issue with a lot of companies when vulnerabilities etc are found, they ignore it until the public are made aware.

@MadEngineer:

 

Can we have a security sub-forum?

 

Do we need one? How many discussions like this happen?

freitasm:

 

@MadEngineer:

 

Can we have a security sub-forum?

 

 

Do we need one? How many discussions like this happen?

 

hoping not a lot…

Not many that I've seen but it'd be nice to have more discussions on it

Cybersecurity week next month. I have lined up some freebies to giveaway.

Who knows?

Anyone with Mercury able to request access logs to their account?  That will answer two questions - the obvious but also if they’re even logging API access at all.

Parts of their App is offline for maintenance, namely the Rewards section.

Just got the email:

Potential rewards data breach

On Monday, we became aware of an issue with rewards in My Account, accessed from the Mercury app and website. While we investigated, we temporarily switched off rewards.

We found that limited information stored under your rewards profile may have been accessible to other people. This information includes your account number, name, and property address. Following our investigation, we believe it’s unlikely your rewards profile has been accessed and misused. It would have required a high level of technical expertise to find this information. We’re sincerely sorry this happened.

We take our responsibilities with customer information seriously. Additional security measures have been established to prevent access to this information. Rewards is now available again. 

What does this mean for you?

• There is nothing you need to do. We believe it’s unlikely your rewards profile has been accessed, and we continue to strengthen our rewards security. It’s important to know that no passwords, payment information, email addresses, or phone numbers are stored under your rewards profile.
• We’ve notified the Privacy Commissioner. You have the right to make a complaint to the Privacy Commissioner.  
• You can continue to enjoy rewards, like you always have. 

Scammers are becoming increasingly sophisticated. If you receive a suspicious email, call, or text, please immediately report it to Mercury. You can also report suspicious activity to the National Cyber Security Centre (NCSC) or Netsafe by searching for these names online.

Thanks,

The team at Mercury

Interesting to hear that they think changing API endpoint/payload with the same authentication token is "highly technical expertise". Maybe it is and I'm living in a bubble. 

It would have required a high level of technical expertise to find this information.

jamesrt:

 

It would have required a high level of technical expertise to find this information. 

 

Umm... OK, sure, BUT what that person who does find the info does with it is the problem. 

They don't have to be technical to blackmail/ransom people.

That is a really **** comment to have in that email.

turtleattacks:

 

Interesting to hear that they think changing API endpoint/payload with the same authentication token is "highly technical expertise". Maybe it is and I'm living in a bubble. 

 

It would have required a high level of technical expertise to find this information.

 

To marketing people inspect element is elite level hacking skills used to steal an image from a website. API is just mindblowing crazy talk.

richms:

 

To marketing people inspect element is elite level hacking skills used to steal an image from a website. API is just mindblowing crazy talk.

 

To marketing people, "View source" or "developer tools" are totally North Korean leet grade hacking 😃