QANTAS Cyber Incident

[ABC1]

I get spam - scam Mygov emails every few months, that last 10 days ago. Are sent to both of the emails I commonly use. Some look like from a real AU govt email and others obvious fakes
Given say 50% or more of AU residents have a Mygov account sending a spoof "Mygov" email will get some positive hits by people who (foolishly) click the link.

There is no link. Here is the rest and the phone number is correct.

 

[SYD]

I get spam - scam Mygov emails every few months, that last 10 days ago. Are sent to both of the emails I commonly use. Some look like from a real AU govt email and others obvious fakes
Given say 50% or more of AU residents have a Mygov account sending a spoof "Mygov" email will get some positive hits by people who (foolishly) click the link.

OPs looks like the legit email that get sent when some tries to login (either by accident ie mistypes their number OR trying to hack using your email).

SYD+1 had that happen a few months ago before disabling email login.

The phishing emails are easily identified by looking at the real sender email address (not what the email client is displaying by default).

 

[bronwyn75]

Exactly.

Simple - ignore/delete.

I've been getting bombed by 'Telstra' emails for months.

My husband received a text from Telstra ( he is the primary account holder) which we presumed was spam; then we found our mail apps on desktop and mobile were not working for that address and asking us to enter the password, which of course by this time was no longer valid. So we went to MyTelstra and logged in with a passkey, to discover that indeed Telstra had changed the password. Appreciate your advice, but we definitely don't click on dubious links.

 

[Daver6]

I keep getting fake emails and text from QF before my flight telling me that I'm still in Y despite upgrade requests...

 

[offshore171]

I keep getting fake emails and text from QF before my flight telling me that I'm still in Y despite upgrade requests...

Haha. I keep getting fake emails from Qantas telling me my FF points are actually worth something!

 

[ABC1]

Are you sure the email address hasn't been hacked. It's 'easy' to send an email from a known provider just as they can with mobile numbers. Have you actually been locked out using your own links and not this one?

Yes locked out

 

[Be.au]

And so it begins. 3:25AM this morning. This has never happened until the hack. Email address is legitimate. View attachment 455769

Yes, it's tax time ;P

(All someone has to do is try and log in with your email address or mobile number, enough attempts and then they've locked your account)

1) Disable signing in with your email address and mobile phone number - so it's harder for someone to break in as you need to use your XX1234 username - my.gov.au/en/about/help/mygov-website/help-using-your-account/manage-sign-in-details

or even better

2) Enable passkeys or Digital ID and disable username/password logins for MyGov - my.gov.au/en/about/help/mygov-website/sign-in-to-mygov/use-passkeys

I get spam - scam Mygov emails every few months, that last 10 days ago. Are sent to both of the emails I commonly use. Some look like from a real AU govt email and others obvious fakes
Given say 50% or more of AU residents have a Mygov account sending a spoof "Mygov" email will get some positive hits by people who (foolishly) click the link.

Especially at the current time - happy financial new year.

 

[LondonAussie]

Slightly off topic but @mods do we need also separate warning threads that Hawaiian and WestJet has also had breeches? Just less information about what data was taken in theirs that I can find immediately.

I think it’s interesting to compare, I know we are scrutinising the Qantas response to this (and rightly so) but at least Qantas have put out more details than the affected US airlines.

 

[ABC1]

Yes, it's tax time ;P

(All someone has to do is try and log in with your email address or mobile number, enough attempts and then they've locked your account)

1) Disable signing in with your email address and mobile phone number - so it's harder for someone to break in as you need to use your XX1234 username - my.gov.au/en/about/help/mygov-website/help-using-your-account/manage-sign-in-details

or even better

2) Enable passkeys or Digital ID and disable username/password logins for MyGov - my.gov.au/en/about/help/mygov-website/sign-in-to-mygov/use-passkeys


Especially at the current time - happy financial new year.

This is the first time it’s happened to me. It’s too coincidental

 

[Daver6]

Yes, it's tax time ;P

(All someone has to do is try and log in with your email address or mobile number, enough attempts and then they've locked your account)

1) Disable signing in with your email address and mobile phone number - so it's harder for someone to break in as you need to use your XX1234 username - my.gov.au/en/about/help/mygov-website/help-using-your-account/manage-sign-in-details

or even better

2) Enable passkeys or Digital ID and disable username/password logins for MyGov - my.gov.au/en/about/help/mygov-website/sign-in-to-mygov/use-passkeys


Especially at the current time - happy financial new year.

What's a little ridiculous is there are certain things you can't do if you login using a passkey but can do using a username and password. Total fail IMHO.

 

[Quickstatus]

Still no email from QF. Whats happening? Am I missing out/

 

[Pushka]

Still no email from QF. Whats happening? Am I missing out/

Yep. As are we. Suspect a faulty data base.

 

[Be.au]

What's a little ridiculous is there are certain things you can't do if you login using a passkey but can do using a username and password. Total fail IMHO.

Username/Password and Passkeys are treated the same AFAIK, it's the ATO that will insist on a Digital ID in some circumstances and the username/password/passkey isn't enough. (not passkey specific)

This is the first time it’s happened to me. It’s too coincidental

I'm guessing you used the same email address for MyGov as your Qantas account, or the same mobile number?

As suggested earlier, turn them off as login username options with MyGov.

 

[Quickstatus]

As suggested earlier, turn them off as login username options with MyGov.

It's very difficult to remember the MyGov generated username

 

[Daver6]

Username/Password and Passkeys are treated the same AFAIK, it's the ATO that will insist on a Digital ID in some circumstances and the username/password/passkey isn't enough. (not passkey specific)


I'm guessing you used the same email address for MyGov as your Qantas account, or the same mobile number?

As suggested earlier, turn them off as login username options with MyGov.

You're right about it being ATO. I was sure username/password was accepted but suspect my memory is failing me and I probably used digital ID instead.

 

[ABC1]

Username/Password and Passkeys are treated the same AFAIK, it's the ATO that will insist on a Digital ID in some circumstances and the username/password/passkey isn't enough. (not passkey specific)


I'm guessing you used the same email address for MyGov as your Qantas account, or the same mobile number?

As suggested earlier, turn them off as login username options with MyGov.

I use the MyGov generated username. Hackers obviously don’t know that.

 

[moa999]

Also got the new myID service that links ID to a specific device which presumably stops nefarious actors

 

[drron]

Well I had the first email but not the second as of now.