It’s been slammed as one of the biggest privacy breaches in Australia’s history.
An attack so large that almost 10 million Optus customers, both past and present, have been affected.
But almost a week after the offensive, the dust is yet to settle.
One minute the alleged hackers are demanding a $1.5 million ransom and releasing the information of 10,000 Aussies onto the dark web.
The next they’re apologising to the telco and claiming that they’ve deleted all of the data.
So with so much still unknown, and the country waiting on bated breath for the hacker’s next move, it’s no surprise that customers have been left scratching their heads.
Should I be panicking?
When it comes to just how seriously Aussies should be treating the attack, Nigel Phair from the University of NSW Institute for Cyber Security says it all depends on what kind of response you got from Optus.
“If you've just received general advice from Optus that your details have been compromised, then you really just need to be super alert and aware of what's going on when you're online,” he told Yahoo News Australia.
“If you're in another group where you've received specific advice from Optus, then you should worry a whole lot more.
“And then if you turn out to be one of the people in the batch of 10,000 that got released yesterday on the dark web, then you really need to actively be aware of what it means.”
What’s the worst case scenario?
Identity fraud, to put it lightly.
“Or identity takeover or the use of identifiers to gain access to a bank account, social media account or email account, that type of thing,” Mr Phair said.
Ultimately: “To do a password reset.”
But how likely is this?
“What's probably holding them back is the fact that Optus has put on credit monitoring for all the accounts,” explained Mr Phair.
“So there should be a flag if there's a new account that tries to get set up in a person's name.”
For the most affected current and ex-customers, the telco is offering a free 12-month subscription to credit monitoring and identity protection service Equifax Protect.
“So that's probably the greatest thing,” Mr Phair said. “And the fact that all the banks have been flagged to be aware of suspicious transactions or new accounts in existing names, or takeovers of accounts.
“That's probably the best piece of mitigation that's happened.”
But could someone slip through the cracks?
Yes. In a worst case scenario, Mr Phair agrees that it’s possible a hacker could sneak in through the gates unnoticed and start to withdraw money from someone’s account.
“That's where we go back to the original messaging of people who need to be really vigilant if you fall in that [disclosed] cohort,” he said.
“You need to be alert to unusual texts, phone calls, emails, [and] you need to monitor accounts.
“It's just a heightened vigilance, like you need to have all the time online.
“This is just one of many data breaches and unfortunately there'll be many that occur in the future.”
What can I do to protect myself?
According to Mr Phair, no drastic action is needed.
“They [current and former customers] don't need to do anything specific as far as they don't need to go and change Medicare numbers, drivers licences, passports, those sorts of things,” he said.
“Because to date, as far as we know, no one's had any compromise of an account or an identity.
“What they do need to do is really just be aware.
“So for example, if they get a text message which is a one time multi-factor code for a bank account they didn't try and log on to, then that's a flag and they need to contact their bank.”
How about changing passwords?
“No, I don't think so,” Mr Phair told Yahoo News Australia.
“Optus have told us there’s been no compromise of passwords so there's no reason to change them.”
But he says now is a good reminder to ensure passwords are as strong as they can be.
So does that mean adding some numbers and a special character in?
“The problem with those sorts of enforcements is people end up having weaker passwords,” he said.
“If you're told to have a capital letter, you can guarantee that capital will be the first letter because that's how we type.
“And the numbers invariably are probably going to be at the end.”
Instead he’s encouraging online users to implement multi-factor authentication measures and make the most of password managers to create impossible to guess passwords.
So is there a need to stress?
“There is still a lot we don’t know,” Mr Phair said.
“We still don’t know how it happened, who the perpetrators may or may not be or what they want."
But without any evidence of an account takeover or misuse of an identity so far, he says Optus customers don’t need to stress.
“I tend to think some people think it's a fait accompli that that's going to happen and it's not like it’s going to happen but we can't say that.
“It may, it may not.”
Do you have a story tip? Email: email@example.com.