A breach of Australian telecommunications providers Dodo and iPrimus has seen the email and mobile phone accounts of some Dodo customers hacked, parent company Vocus has confirmed.
The company — one of the largest telcos in the nation behind Telstra, Optus, and TPG — announced the breach on Saturday after both its Dodo and iPrimus brands said they “detected suspicious activity” in their shared email system on Friday, 17 October.
"Our initial investigation has revealed unauthorised access to approximately 1,600 Dodo email accounts, leading to unauthorised SIM swaps on 34 Dodo Mobile accounts,” a Vocus spokesperson said in a statement.
"We have worked with impacted customers to reverse these SIM swaps and we continue to monitor this situation."
Cybercriminals can use SIM swapping techniques to transfer a victim's phone number to another SIM card under the attacker’s control, often by convincing a mobile network provider that they own the account.
Once completed, such attacks can allow scammers to intercept calls and text messages, including two-factor authentication codes, to potentially gain access to other services used by the victim.
Vocus did not comment on any specific techniques hackers may have used to gain access to its Dodo email accounts.
Email accounts suspended to help ‘contain the issue’
Vocus said it had “progressively suspended email services” for Dodo and iPrimus customers and “restricted” email access for customers of its enterprise brand Commander during the incident to help “contain the issue”, before access was restored on Sunday.
The company said Dodo email customers would need to set new passwords for their email accounts in order to regain access, by contacting Dodo on 1300 038 224.
Email accounts in iPrimus were “operating as expected”, Vocus added.
The firm said it would continue to update customers and would offer them additional help through identity and cyber support service IDCARE.
“We apologise for the inconvenience caused by the temporary suspension of email services while we prioritised security,” the Vocus spokesperson said.
“We are continuing to monitor and have notified authorities of this incident.”
SIM swapping typically involve cybercriminals transferring a victim's phone number to another SIM card under the attacker’s control. Image: Shutterstock
Telcos face cyberattacks and SIM swap scams
The Dodo and iPrimus breaches were the latest in a string of recent incidents involving Australian telecommunications providers.
TPG-owned iiNet saw around 280,000 of its customers’ details compromised by cybercriminals in August, with email addresses and phone numbers extracted from an order management system within the company.
Local telcos such as Exetel, Telstra, and Medion Australia have recently been fined after investigations by the Australian Communications and Media Authority (ACMA) found they had exposed customers to SIM swapping scams.
Dodo and iPrimus were themselves fined $2.5 million in 2021 for making misleading claims about the speed of their NBN internet plans.
That was after Dodo agreed to pay a $360,000 fine in 2019 when the Australian Competition and Consumer Commission (ACCC) alleged some of its NBN plans did not live up to marketing material which described them as “perfect for streaming”.
