Breachwire.riscent

Breach report

Optus: an unauthenticated API endpoint exposed millions of customers

Web Application BreachesHigh (millions of records)2022-09
The bottom lineAn internet-exposed Optus API endpoint required no authentication, allowing an attacker to pull the personal records of millions of customers directly from the service.
Category
Web Application Breaches
Type
Named breach · Unauthenticated API / IDOR
Date
2022-09
Severity
High (millions of records)
OWASP
Web A01 Broken Access Control
CWE / CVE
CWE-306

What happened

In September 2022, Australian telecommunications company Optus disclosed a breach that exposed the personal data of millions of current and former customers. Optus went public on September 22, 2022, and the following day an actor posted sample data and demanded a ransom, claiming to hold the records of some 11 million customers. Exposed fields included names, dates of birth, phone numbers, email addresses, physical addresses, driver's licence numbers, and passport numbers; no account passwords or financial details were reported taken.

The attacker did not breach Optus's internal systems. Instead they reached the data through an unsecured, internet-facing API endpoint — a case that became a widely cited lesson in API security failures.

Root cause

The core failure was missing authentication (CWE-306): the API endpoint was reachable over the internet and served customer records without requiring any credential — a severe instance of broken authentication and broken access control. Reporting also noted the absence of rate limiting, data masking, and network monitoring, meaning nothing throttled or flagged the bulk retrieval of records. In the 2025 OWASP Top 10, this class of missing-authorization flaw sits squarely under Broken Access Control.

How it would have been caught

An access-control test that calls the endpoint with no token and confirms it still returns data would have exposed the flaw immediately. API inventory and authentication scanning flag any route that responds to unauthenticated requests. A reproduction hits the endpoint anonymously and confirms it returns another customer's record, then confirms records can be pulled in bulk without a credential.

How to prevent it

  • Require authentication and authorization on every API route by default; deny unless explicitly allowed.
  • Enforce object-level authorization so a caller can only retrieve records they own, defeating identifier enumeration.
  • Rate-limit and monitor endpoints so bulk extraction is throttled and alerted.
  • Minimize and mask retained sensitive data so an exposed endpoint yields less.

The Breachwire test (red → green)

Call the endpoint with no authentication token and confirm it returns a customer's personal record — the RED control. Add mandatory authentication and per-object authorization, replay the same anonymous request, and confirm it is rejected with no data returned, while an authenticated, authorized caller still retrieves only their own record.