AFP investigates $1m ransom demand posted online for allegedly hacked Optus data

The Australian federal police is investigating after the data of millions of Optus customers exposed during a recent hack was allegedly put up for sale online.

On Saturday morning a post appeared on a data market from a user claiming to be in possession of the information obtained from the breach with a demand for $1m in Monero cryptocurrency.

The user posted a sample of the data. The cybersecurity researcher Jeremy Kirk said the sample appeared to correspond to real-world addresses and people, which suggested the post was genuine.

Even if Optus was to pay the ransom, there is no guarantee the user would stick to an agreement not to sell the data elsewhere.

Kirk said he had verified some of the information by speaking to a neighbour whose name and address was contained in the sample.

This information could not be immediately verified but a spokesperson for the AFP said the agency was aware of claims the data had been put up for sale.

The spokesperson warned that it was an offence to buy stolen credentials with those convicted facing a maximum penalty of 10 years in jail.

Optus on Thursday announced it had suffered a massive cyber-attack, with the personal information of up to 9.7 million customers stolen, including names, dates of birth, addresses and contact details.

Many customers have reported a nervous wait to be contacted by Optus or having to take matters into their own hands and call the company to find out whether they had been exposed in the attack.

In a new statement on the attack, Optus said it was cooperating with authorities while it was continuing to contact customers who may have had their data stolen.

The company said that since it announced the attack, it had become aware that cybercriminals may begin targeting Optus customers with phishing scams.

It warned customers to be wary of links sent in SMS texts or emails.

The Department of Foreign Affairs and Trade, which overseas the Passport Office, did not immediately respond to questions about whether it would automatically reissue passports of those affected.

A spokesperson instead referred to statements published on Friday which sought to make clear there had been no breach of passport systems.

Those who are affected are advised that it is up to the individual to apply for a new passport.

Applications to replace a passport cost $308.