James North
I'm a Dymocks customer (not that I've purchased anything recently). Regrettably, I handed over my phone number to Dymocks several years ago before I could think better of it. My phone number now eternally resides somewhere in a database on Dymocks' many servers.
As of last week, it's in the hands of any hooded teenager typing away at their laptop in the dark.
I received an SMS a few days ago that went like this:
"We believe some customer data may have been compromised. We're investigating & will update: Details: suspicious.short.link
OPT-OUT: suspicious.short.link"
There are two things to take note of here. The first is that the SMS uses a short link instead of linking directly to the website. Some businesses will do this, but it's always a bad sign. The second, less obvious but much more suspicious fact is that it contains a link to OPT OUT. The standard way to opt out of messaging from a business is to send back a message with the content "STOP" or something similar.
It should go without saying, but try to avoid clicking links to unsubscribe, even if you trust the business.
In any case, what is going on here?
Here's what I suspect.
When Dymocks' customer database was leaked, an enterprising individual or group went through the entire dump and extracted all the phone numbers. They then sent a message to every single one of these users informing them that Dymocks has been compromised and providing a link for more explanation.
For many Dymocks customers, this is probably the first they're hearing of the compromise. It was for me. I never got an email from Dymocks about it. That makes it seem more legitimate.
If you haven't seen it, now is a good time to give Mr. Robot a watch. It's my favourite TV show about exploiting computers. The NET was weird, and Wargames was fun, but Mr. Robot is so much more than that.
(Yes, some of the hackers wear hoodies)