ACCC subscriber email addresses exposed

An unknown number of subscriber email addresses have been breached on websites operated by Australia's consumer watchdog, including the security service SCAMwatch.

The Australian Competition and Consumer Commission is currently investigating how much of its subscriber base was affected across its Recalls Australia, Product Safety Australia, SCAMwatch and Public Registers websites.

A spokesman for the ACCC said the organisation became aware of the breach this morning and was investigating how the email addresses were exposed.

The spokesman said email addresses could be accessed using unique unpublished URLs but did not say if the contacts were stored in large databases or were incrementally accessible via a direct object reference vulnerability.

"The ACCC resolved this issue as soon as it became of aware of it to prevent further access to the email addresses."
- ACCC press statement

Those affected had either signed up or contacted the ACCC to alter their newsletter subscription. Passwords were not collected by the affected database and were therefore not compromised.

The agency could not say if the email addresses were breached, noting only that the exposures were reported by a security researcher.

Email addresses could be useful to spammers or hackers gathering intelligence for more targeted attacks.

The agency has notified the Australian Privacy Commissioner. It is unlikely that a breach of only email addresses would result in a financial penalty.

The exposure bears some similarities with a larger breach of 15,000 customer records by Telstra, which exposed a database of names and personal information to the internet.

While Telstra's database could be found using internet search engines, the ACCC claimed the exposed records were not indexed.