Fasten your seatbelts and change your passwords: Qantas just announced its customers have had their data stolen as a result of an external hack. Here's what happened and what you need to do next.

Change your passwords. Right now

First things first: if you're using any common passwords, change them right now. Don't even finish reading this. Go change them.

I've previously worked in cybersecurity for a big bank, and what I can tell you is that shared or common passwords have to be the number one way that people (and companies) get breached these days.

Think of it like this. You've got a key to your house, your car, maybe a locker or maybe even an office. There's a reason all of those keys aren't the same. Because if hackers got one key, they'd be able to unlock and ransack every aspect of your life! It's the same with passwords:  if you've got one shared password between your social networks, banks, superannuation account or even MyGov/Medicare, a breach of one is a breach of all. 

There's a reason that remembering unique passwords feels hard. It's because it is. The human brain isn't meant to remember 100 different passwords. Thankfully, there are a tonne of free ways to be more secure thanks to password vaults. There's probably one on your phone right now and you don't even know it.

A password vault locks up all of your individual and (more importantly) unique passwords behind a PIN, password or even your biometrics like your faceprint or fingerprint. They're then locked up safely on your device inside the most secure enclave your device has (Apple, for example, literally calls it the Secure Enclave, by the way) and they're not online in some honeypot waiting for a hacker to swipe it. That way, you only have to remember the one password. Or if you use biometrics, you won't have to remember one at all.

If you want to set up your device's built-in password vault, follow the instructions here for Apple devices, here for Samsung devices or here for Google Accounts.

On with the show.

Qantas: what got hacked?

Hackers managed to gain access to a system used by a company Qantas works with and made off with a bunch of customer data. The company breached was one of its "contact centres". Think call centres, external marketing firms, any of the hundreds of companies Qantas uses to outsource to these days, really. It isn't giving the name of the company at this time.

Instead, Qantas' CEO has said that all of its own systems "remain secure at this time" after the breach was contained.

So what did they take? Not anything of vital importance, to be honest. Qantas says that "the compromised data includes some customers' names, email addresses, dates of birth and Frequent Flyer numbers".

Qantas CEO Vanessa Hudson has been at pains to point out that really meaningful stuff - like credit card or passport information - was not taken as a result of this hack. 

These sorts of details on you and your friends/family are probably already out in the wild, anyway. The number of data breaches over the last year alone has seen billions of records leaked and sold on the dark web.

How did it happen?

Hackers didn't exactly kick down the door and make off with a computer full of files. Instead, they breached a business that works with Qantas instead.

Here's how Qantas CEO Vanessa Hudson describes what happened:

On Monday, we detected unusual activity on a third-party platform used by one of our airline contact centres. We immediately contained the incident and can confirm all Qantas systems remain secure.

Our initial investigations show the compromised data includes some customers' names, email addresses, dates of birth and Frequent Flyer numbers. Importantly, no credit card details, personal financial information and passport details are held in the system that was accessed. No Frequent Flyer accounts, passwords, PIN numbers or log in details have been compromised.

Honestly, it's unsurprising. It's actually very common these days for businesses who work with lots of other businesses to get hacked this way. Hackers figure it's pretty tough to crack the steel walls of a bank or telco, but their customer's data probably lives on systems outside the secure area so that contractors can do business with them. It's these so-called "third-party hacks" that you're likely to see the most in the wild these days.

Given how much of our data is online and the ongoing boom industry that is cybercrime, scams and phishing, every single service that keeps data on its customers is bound to be hacked eventually. It's a matter of "when" and not "if" these days.

What do you need to do to stay safe after the Qantas hack?

Right now, you don't really need to do anything. Even if you have upcoming travel, this hack won't affect your plans. 

The only action you need to take is to make sure your passwords are all different across all your services, including Qantas. If you are using common or shared passwords, check out the section up top to change your passwords quickly and easily so your whole life doesn't fall into the hands of scammers. 

According to Qantas, passwords weren't leaked as part of this hack, but remember: everyone will get hacked eventually. Better to be prepared earlier!

If you're worried, Qantas has set up a dedicated line you can call to ask questions: 

"Contact our dedicated support line on 1800 971 541 or +61 2 8028 0534 for assistance, including specialist identity protection advice, or visit our webpage for more information."