You may have heard the term API being used in relation to Optus’ breach. It stands for application programming interface, but you can think of it as a way for websites or programs to talk to each other and exchange data. So in this case, an API could have been designed to provide customer data to internal Optus systems.

Loading

Reports have suggested that the person who stole the Optus data merely exploited a poorly designed Optus API that handed over the details, a claim which Optus CEO Kelly Bayer Rosmarin has rejected.

How do I know if my data’s been caught up in this breach?

As of Monday morning, Optus said it had sent out emails or text messages to all customers and former customers whose ID document numbers — such as passport or driver’s license numbers — were compromised. It then moved on to customers whose other details, such as email addresses, were compromised. So if you haven’t heard from Optus, it’s likely the telco doesn’t believe you’ve been affected.

What should I do if I get an email from Optus?

As ever, criminals are looking to take advantage of any widespread panic or concern, so you should be vigilant to make sure any communication claiming to come from Optus, actually is from Optus. Check the “from” address ends in optus.com.au, and remember, there should be no links or requests for information in any Optus emails.

The email will let you know what kind of data is affected. Importantly, it will indicate whether ID document numbers such as passports were affected, but it will not explicitly say which documents. Obviously, there’s nothing you can do to remedy your name, date of birth, or residential address being distributed, and it can be very difficult to proactively change your driver’s licence or passport number before fraudulent activity occurs.

So the best course of action may be to secure your accounts and identity as best you can and keep an eye on your credit.

How do I secure my accounts?

Optus says no passwords were compromised in the breach, but if you use the same password across multiple sites that may not matter. Criminals for example could match their set of data from the Optus breach with a password from a previous breach, and have enough to do a lot of damage. The best practice is to use a password manager like BitWarden, LastPass or 1Password, which generates strong passwords automatically for each of your accounts.

Any service that has payment information saved, like bank apps, Amazon or eBay, will be prime targets. Change your passwords, and while you’re there check to see what happens if you try to log in without knowing the password. If all it does is send you an email, make sure that email account is also locked down and investigate whether the account offers more secure protection.

Many accounts allow two-factor authentication, so if you log on from a new device you have to prove your identity with a code. Doing this by SMS is somewhat secure, but as explained above is vulnerable to SIM jacking, so using an app like Authy or Google Authenticator is better. Just be sure to keep any provided backup codes in a safe place so you don’t get locked out in the event you forget your password and lose your phone.

As for your phone account, your telco should allow you to add extra security with a password you have to give verbally, although Optus’ phone lines are reportedly quite busy at the moment. Criminals with enough personal information can also potentially bluff their way around these requirements.

What about my credit?

Loading

Credit reporting companies like Equifax, Experian and Illion can put a freeze on your credit if you’re worried about criminals taking out money in your name. But this will, of course, make it difficult to take out credit yourself, and it’s only temporary so won’t stop attacks far down the track.

For Optus customers whose identity documents were accessed, Optus has promised to provide a 12-month subscription to Equifax’s paid credit alert service, which will notify you of any credit checks that may be suspicious. It’s currently unclear how to redeem this service.

Is there anything else I can do?

It’s easy to feel powerless in situations like this, given proving your identity is necessary and data breaches are all but inevitable. However, while there may be little you can do to keep crims away from your data, you can always tighten up your digital hygiene to make it tough for it to be used against you. This applies equally to Optus customers and everyone else.

Loading

Check all your email addresses against HaveIBeenPwned, a website that will tell you if they’ve been included in any known data breaches. It can be a good reminder that data about you may have been circling the internet for decades now and is being collected by criminals. Regularly change your passwords to email accounts, social media and any service that has vital or financial information about you. Or better yet use a password manager and two-factor authentication.

Always be vigilant with emails, text messages or calls asking you for any information. Don’t click any links. If you think the contact is legitimate, find the appropriate phone number or website address and contact them there.

Get news and reviews on technology, gadgets and gaming in our Technology newsletter every Friday. Sign up here.