ShopBack NZ. How I Was Scammed out of $300

LHuxterNZ on 18/11/2025 - 11:05
Last edited 18/11/2025 - 14:00 by 1 other user

Well, it seemed like a good idea at the time.

I started using my ShopBack account to order Domino’s pizzas and get 25% cashback on every purchase. Within a few months, I’d built up $30 in cashback and decided to withdraw it – even though I was sceptical it would actually work.

To withdraw the $30, I obviously had to provide my bank account details so ShopBack could make the deposit. That made perfect sense. There was about a one-month wait between requesting the withdrawal and the expected deposit date… all that time, my bank details were just sitting there on ShopBack’s site.

The deposit eventually came through! I’d also accumulated more cashback and planned to save it up for a bigger withdrawal later in the year – something more substantial than $30. So far, ShopBack seemed to be doing exactly what it promised… albeit VERY slowly. Transactions took forever to be confirmed, and withdrawals took even longer.

Then came the horror: my actual bank account was drained to $0 after someone bought three $100 Apple gift cards – using the ShopBack site!
My account had been compromised. Scammers were somehow able to use the bank details I’d provided for deposits to make purchases directly from ShopBack (I didn’t even know purchases were possible through the platform).

If you Google “ShopBack data breach”, you’ll see plenty of reports about how my account – and possibly yours – was likely hacked.
ShopBack’s customer service was non-existent and completely useless. They refused any refund and told me to speak to my bank. My bank pointed out that the transactions were authorised through ShopBack, so I had to go back to them. Six weeks later, ShopBack has closed my case and stopped responding altogether.

My bank has rightly placed the blame on ShopBack for their lax security and poor protection of my personal information. I’ve had to close my old account (at my own expense), open a new one, and redo all my bill payments and direct debits – a massive hassle. I’m now trying to pursue a chargeback through my bank, but I have zero hope of getting my money back.

So here’s the warning: to use ShopBack and ever withdraw your cashback, you MUST hand over your full bank account details so they can credit you (eventually). But those same details stay on their system, ready for any scammer exploiting ShopBack’s repeated data breaches and terrible security to drain your real bank account – and once the money’s gone, you’ll probably never see it again.

General Discussion

Related Stores

ShopBack NZ
ShopBack NZ

Comments

Search through all the comments in this post.
  • Wakrak on 18/11/2025 - 11:23

    @gotyourback

  • RockCartel on 18/11/2025 - 11:25
    +8

    This is bad.
    But how can someone use your bank number to buy something?
    People give me their bank details when I have to pay them. I know the bank details of many people.

    • ace310 on 18/11/2025 - 11:27
      +1

      I was thinking in same way as well. Unless your bank login is compromise

      • HuxterNZ on 18/11/2025 - 12:13
        +3

        When I was ready to withdraw the $30 Cashback from ShopBack - I selected "Withdraw Money" and supplied only my Bank/Name/Account Number .. which successfully resulted in a Bank Transfer for ShopBack to my Account.

        I also DO NOT understand how those details could be used to make $300 worth of fraudulent purchases from the site.

        • xsolider on 18/11/2025 - 12:31
          +4

          I just checked the app. If you want to buy some Apple iTunes gift cards, you can only use a credit/debit card or your remaining Shopback balance. You can't do bank transfer for the purchase even though you've supplied the bank account number for cash withdrawal purposes. I would go back to the bank and ask them to clarify how exactly the fund got deducted.

          • Nil Einne on 20/11/2025 - 22:21

            @xsolider: Can you save the debit card to ShopBack? (Possibly saved on their payment gateway but either way something anyone who can access the Shopback account has access to.)

    • ABCDEFG on 18/11/2025 - 15:34
      +7

      I'm wondering the same thing. My best guess is that OP's Shopback account was compromised and the scammer used a saved debit card to make the purchases on the Shopback platform.

  • Alan6984 on 18/11/2025 - 11:28
    +4

    Hi @HuxterNZ,

    Sorry to hear that.

    I was aware of the breach some years ago, but I had not heard about funds being withdrawn through ShopBack from people's bank accounts. Obviously, simply providing your bank account name and number should never, in and of itself, give anyone authority to withdraw funds from your account, else half the businesses in NZ would have problems, since they provide their bank account name and numbers on all their invoices, and also on their websites in many cases..

    I 'Googled' as you suggested but nothing obvious came up explaining how the scammers had managed to withdrawn funds from victims' bank accounts - the articles only noted details of the fact of the breach itself.

    I probably missed the ones that explain how the funds were withdrawn - please could you point us in the direction of an article that explains how that happened.

    Thanks,

    Alan.

    • Jexla on 18/11/2025 - 12:50
      +1

      Yeah, because it's a yarnnnnnn

  • ace310 on 18/11/2025 - 11:32

    Also we setup direct debits on all sort of services and utilities. Which has more authority than just having a bank account and name. Which I believe doesn't allow anyone to make any transactions without yourself doing some kind of approval.

    • Alan6984 on 18/11/2025 - 13:10

      … direct debits … [don't] allow anyone to make any transactions without yourself doing some kind of approval.

      The original authority you sign gives the third party that approval.

      However, they also have to be a 'reputable' (which means 'large' I suspect) organisation to be able to process direct debits, and the penalties, if you do something wrong are (or at least used to be) significant, so you would need really good systems / processes to make it worthwhile and manage that risk.

      Having said that, I almost never sign direct debit authorities for third parties, or if I do (sometimes you effectively have no choice if you want to setup a given account), I then rescind it once everything is up and running, and always just pay on invoice. Generally, I have gotten a number of letters from the third party asking me to re-instate (or setup anew), but having just ignored those for long enough, they seem to give up - presumably because they can see I always pay on time (probably slightly in advance of when the direct debit would have run anyway). So far at least, no-one has actually cancelled an account I have had where I did that, but the sample size is small (maybe three or four over twenty years), so don't rely on it working!

      Someone else I know only provides direct debit authorities on a bank account that they keep with, essentially, a zero balance (or perhaps a few dollars), and they fund it ahead of the direct debits being processed. Seems like a good option, as long as your bank would not allow the direct debit to cause you to go overdrawn and / or charge you a fee for 'bounced' payments - I have no idea on that though.

  • moxpearl on 18/11/2025 - 11:36

    Ouch :S Assuming it has something to do with the breach + how Americans use old ACH crap.

    For those reading this re staying safe.. suggest

    1. Setup MFA with your bank, eg need to auth things.
    2. For places like shopback, use a paypal account to withdraw to.

    For those asking how they can take out money with only bank account details..

    https://ramp.com/blog/ach-fraud

    We don't use ACH in NZ, so it's not a problem here when dealing with NZ based suppliers etc.

    • Alan6984 on 18/11/2025 - 13:17

      Assuming it has something to do with the breach + how Americans use old ACH crap.

      The US banking system seems like something out of the fifties - I don't believe that type of issue was ever a problem in NZ (or Aus or the UK)?

      Completely irrelevant here and now of course.

      Does make me wonder how they get customers (say) to pay you in the US without 'publicising' your bank account number though. Not enough that I can bothered to find out though :-)

  • NovaAlpha on 18/11/2025 - 12:41
    +2

    This is why I use Paypal to receive the credits, then link my bank account to Paypal. I only receive money from Paypal, there's no funds on it.

    Not to mention that you put 2FA auth on everything as a minimum.

  • Store Repgotyourback @ ShopBack NZ on 18/11/2025 - 14:52
    +3

    Hey there 👋 @HuxterNZ really sorry again for what happened — we totally understand how stressful that situation must’ve been. We just wanted to reassure you and others that after a thorough check, there’s been no data breach or security issue on ShopBack’s end. Our systems remain secure, and this looks to have been an isolated account compromise, not caused by a breach in our platform.

    We completely understand your concern, and we’ve shared all the investigation details with you directly via email. Since the vouchers were already redeemed before we were alerted, a refund unfortunately wasn’t possible — but we did recommend raising a chargeback with your bank, as that’s the best path to recover those funds.

    For anyone else reading, if you ever notice something unusual on your account, please:

    • Change your password immediately
    • Enable two-factor authentication (2FA) for extra protection
    • Contact our support team at [email protected], so we can help straight away

    We take every report like this seriously and are always improving our security to protect our users 💚

    • Kiwi on 18/11/2025 - 15:39
      +1

      Without giving out any personal information, and in the interest of everyone else protecting themselves, can you explain exactly what happened here and how the compromised account was used to withdraw funds from the victims bank account through your own platform? From my perspective, this is an utterly disasterous failure of your security protocols, regardless of whether it's a single account compromise or wider. Does it suggest that your system stores the bank details in plain text? Surely they are encrypted and stored separately, and account credentials alone wouldn't give one access to the full stored details? What has been done to prevent this from ever happening again, at a system or account level? Why should anyone ever trust your company with even semi sensitive information in light of this occurrence?

      • ABCDEFG on 18/11/2025 - 15:44

        Reading between the lines; isolated account compromise and recommending initiating chargeback suggests OP's account, with a saved credit-network payment method (credit card or debit card), was compromised and the infiltrator used the account to buy vouchers on Shopback's platform. I'd bet good money OP's bank account details being on the platform are unrelated.

        • Store Repgotyourback @ ShopBack NZ on 18/11/2025 - 16:08

          Hey hey 👋 really appreciate the questions and the chance to clarify a few things here. We totally get why this sounds worrying, and we want to be transparent about how we handle user data.

          ShopBack never stores payment info or bank details in plain text — everything’s fully encrypted and tokenised, which means even internally we can’t view or access that information directly. Logging into a ShopBack account doesn’t expose any stored card or bank details that could be used for purchases.

          Our security team has rechecked this incident carefully and confirmed there’s no system breach or failure in our security infrastructure. This appears to be an isolated case of unauthorised access to a single account, and we’ve since added additional safeguards to make accounts even more secure.

          We take these reports very seriously and genuinely appreciate everyone raising their concerns — it helps us keep improving 💚 if anyone ever notices anything unusual, please reach out to [email protected] and we’ll jump on it right away.

          • boldbilly on 19/11/2025 - 07:41

            @gotyourback: Please tell us, very clearly, how any information you have can be used to withdraw funds from a bank account? Or was this unauthorised use of a credit card?

            • RockCartel on 19/11/2025 - 07:46

              @boldbilly: I feel like it would be wrong to speak about this case in that sort of detail publicly.
              Perhaps @HuxterNZ could confirm if it was bank account or credit card?

              • boldbilly on 19/11/2025 - 08:46
                +1

                @RockCartel: Good security is not based on ignorance

                • RockCartel on 19/11/2025 - 09:06
                  +1

                  @boldbilly: Agree.
                  Talking about this is general is great.
                  Just not specifics of the OP case, unless they choose to share that.

                • Alan6984 on 19/11/2025 - 09:28

                  @boldbilly:

                  Good security is not based on ignorance

                  I completely agree. Security through obscurity is no security at all.

                  Anybody should be able to fully disclose all the workings of their system, and it should have no detrimental impact on their security at all.

                  Consider that many of the most secure software implementations are completely open source, and yet they are rock solid.

              • Nil Einne on 20/11/2025 - 22:09
                +1

                @RockCartel: Probably a debit card. If the debit card was linked to the bank account, then money would come from that bank account but it's coming via the debit card not the bank account number. To be honest, I have sympathy for ShopBack here. I'm not convinced explaining such a level of detail about the OP's case would comply with NZ privacy laws & at the very least likely something which would need to approval of their lawyers.

                I guess they could say something like "It's not possible to make purchases using a bank account number saved to ShopBack. Purchases can only be made using saved credit or debit cards. For a debit card, the money will come from whatever bank account is linked to the debit card. ShopBack does not know what this account is as it's between the bank and customer." but that's about it.

    • RockCartel on 18/11/2025 - 16:36

      TLDR; Don't use the same email and password

      A quick and easy example of how someone can get access to your account (any online account not just Shopback)
      1. Sign up to Shopback using email address [email protected] with a long good password
      2. Sign up to some Other-site using the same email address and password
      3. The Other-site admin takes your email and password and sells it on darkweb
      4. The buyer on darkweb tries the email and password on sites where they can buy things that can be monetized, and are hard to trace back (think digital delivery).

      Using Bitwarden with unique passwords is an easy way to avoid this

      • Alan6984 on 18/11/2025 - 23:18
        +1

        How would any of that lead to a 'scammer' being able to make a withdrawal from the OP's bank account as they stated:

        Then came the horror: my actual bank account was drained to $0 after someone bought three $100 Apple gift cards – using the ShopBack site!

        My account had been compromised. Scammers were somehow able to use the bank details I’d provided for deposits to make purchases directly from ShopBack (I didn’t even know purchases were possible through the platform).

        • RockCartel on 19/11/2025 - 07:48

          If they also used the same email and password for the bank login.
          It's unfortunate, but a lot of people do. I did in the past.

          • xsolider on 19/11/2025 - 09:09
            +2

            @RockCartel: AFAIK, NZ banks, especially the mainstream ones, don't use email addresses for online banking logins.

          • Alan6984 on 19/11/2025 - 09:25

            @RockCartel:

            If they also used the same email and password for the bank login.
            It's unfortunate, but a lot of people do. I did in the past.

            My bank has never used my email address for my login name, and I don't know of any in NZ that ever did, but I can't rule it out for overseas banks.

        • Nil Einne on 20/11/2025 - 22:19

          If there's a debit card saved on the ShopBack site, then anyone with access to the ShopBack account could buy whatever they want on ShopBack's site using that debit card. And if the debit card is tied to the same bank account the OP entered, money would come directly from their bank account. That's the disadvantage with debit cards. It would have nothing to do with them entering their bank account it's just because they provided their debit card.

          ShopBack will potentially still flag some stuff as suspicious & stop it perhaps asking for verification e.g. to re-enter the CVV or something from the debit card. And some sites required it all the time. But it's very common that saved cards don't need any re-entry and detecting questionable orders is complicated. E.g. you could flag any unusual IPs especially VPNs but these can arrive in a lot of circumstances for normal customers.

          • Alan6984 on 20/11/2025 - 23:24

            @Nil Einne:

            If there's a debit card saved on the ShopBack site, then anyone with access to the ShopBack account could buy whatever they want on ShopBack's site using that debit card. And if the debit card is tied to the same bank account the OP entered, money would come directly from their bank account.

            If that was the scenario, OP should have been able to do a chargeback, and given that OP's 'bank account was drained to $0' it would be immediately noticeable, at least for the vast majority of people :-)

            • Nil Einne on 27/11/2025 - 03:08

              @Alan6984: They said they are doing a chargeback just they have zero hope of getting their money back. But they haven't explained why, or anything further. They also said they've had some back and forth with their bank and Shopback lasting six weeks.

              None of this is particularly surprising or unusual IMO, I've heard enough reports of banks trying to fob off customers onto some other party even if they arguably should make the customer whole.(That said, there are also legitimate reasons for this. A lot of stores will ban you once you do a chargeback. So if you want to continue to use that store, seeing if they'll make you right first is reasonable provided you're careful not to miss the chargeback deadline.)

              Especially not surprising the bank would react the way they did in a case like this where it wasn't that the card was compromised but that an account where the card was stored by the customer was compromised. Debit card protections can also be weaker although I think this generally isn't the case in NZ. (The other big issue with debit cards is as reflected here even if the amount $300 is on the smaller end. When something goes wrong or even just with an authhold, you lose access to your actual money until it's resolved.)

              From what I see, there's no mention of the OP taking a while to notice. But also whether it came via the debit card or directly via the bank account, I don't see why it makes much difference how long it takes the OP to notice unless they are actively using that debit card for other stuff.

      • Nil Einne on 20/11/2025 - 22:24

        Yeah credential stuffing is a big risk. It's one of the reasons a lot of browsers will warn you if the password you entered was exposed as part of a known breach.

    • Onatopp on 25/11/2025 - 10:48
      +1

      Hmmm! From what you've said, you (ShopBack) 'unfortunately' can't do a refund (because……). However, a Bank chargeback 'is the best path…..'

      So 2 possibilities here:

      1.) You won't voluntarily refund, but if the bank forces your hand (by taking the funds), c'est la vie (in which case, why don't you just do the decent thing from the get-go?).

      2.) The bank refunds HuxterNZ from its own pocket.

      It's very easy for you to declare (here) that there has been no data breach or security issue, but you yourselves will know the route and terminal used to breach/compromise HuxterNZ's account.

      SURELY you can do better than burying your heads in the sand, hoping that privacy and obfuscation will enable you to sail out of the conflict zone?!

      • QCon on 25/11/2025 - 12:26

        @Onatopp It's not quite that simple.

        For example - if the transaction was processed using 3D Secure, ShopBack paid higher transaction processing fees for the bank to verify the cardholder's identity. The bank does a risk-assessment of the transaction and can either choose to let it through, challenge with two factor verification, or decline the transaction. The bank takes on liability for fraud losses in this scenario - because it was up to them to validate the cardholder.

        So if 3DS was used - the bank is liable for fraud losses and it would make no sense for ShopBack to process a refund.

        We simply don't have enough info to know what went on here. But the outcome is the same - OP should be raising a chargeback with their card issuer. This is what that process exists for.

        • Store Repgotyourback @ ShopBack NZ on 25/11/2025 - 14:12

          Hey hey 👋 appreciate all the thoughtful replies here — it’s totally fair to ask questions when something like this happens.

          We’ve been in touch with the user directly and made sure they’ve got clear next steps through their bank to resolve things. Our team has also double-checked everything on our end, and there’s no indication of any issue with ShopBack’s systems.

          We really value everyone raising their concerns — it helps us keep improving and making sure our community stays safe 💚 If you ever notice something unusual or need a hand, just reach out to [email protected] and we’ll jump on it right away.

        • Onatopp on 26/11/2025 - 08:07

          The cardholder (who pays for the items on the card bill) is genuine (that's not the issue) - it's whether the $300 transaction(s) for the $100 gift cards was actually the cardholder or a fraudster in possession of the card details.

          If the cardholder hasn't lost their card, the $300 bill would be a surprise. Where did the fraudster get the details, and how did they pick up the goods or take delivery of them?

          I take your point, though.

          Maybe the cardholder didn't 'log off' after an initial genuine transaction? Leaving the Shopback site open for the next user?

          For example, on my banking site, it auto logs off after a few minutes to prevent this.

          It looks like helpful suggestions are forthcoming, and that's the main thing.

          • QCon on 26/11/2025 - 09:49

            @Onatopp: @Onatopp Yes - I suspect the fraudster likely compromised the user's ShopBack credentials and bought gift card with the saved card on file. If that is the case - ShopBack isn't necessarily liable for fraud losses (e.g. if 3DS was used with the transaction) so we can't critique them for being "unhelpful" by refusing to do a refund.

  • ohHiMark on 19/11/2025 - 12:58

    “Terrible security”
    Probably intentionally if it’s an in-house job.

    • Store Repgotyourback @ ShopBack NZ on 19/11/2025 - 19:08

      Hey there 👋 just to clear things up — there hasn’t been any breach or internal issue on our side. Our systems are secure, and all user data is fully encrypted and protected.

      What happened here was an isolated account compromise, not something caused within ShopBack. We’ve double-checked everything with our security team and also strengthened a few extra safety measures just to be sure.

      We totally get why people are concerned and appreciate everyone speaking up — it helps us keep improving and protecting our community 💚 if you ever spot anything unusual, please reach out to [email protected] so we can help right away.

      • boldbilly on 20/11/2025 - 08:07

        I believe you, and your reassurances are lovely, but it's a shame you won't share the details of what happened so we all might learn from the mistake. (Perhaps not relevant to the consumer, but educational for those of us running other organisations)

        Make the world a better place - I dare ya!

  • QCon on 20/11/2025 - 07:41
    +1

    Gift vouchers can only be purchased using ShopBack credit or New Zealand issued Visa/MasterCard. It sounds like the purchase was made via debit/credit card, in which case a chargeback is your first port of call. If the transaction is within ~120 days you should be successful with a chargeback in this case.

    If it has been longer than 120 days but you contacted your bank within 120 days and they DIDN'T suggest a chargeback, I would raise a complaint with the bank.

    It looks like ShopBack did suffer a pretty bad data breach in 2020, and SHA-1 salted password hashes were exposed. If you used a simple password it was likely cracked and widely circulated on the dark web, a more complex password (12+ chars, random) would likely be safe.

    ShopBack forced password resets after the breach so unless the original password was reused, this should not have resulted in account compromise.

    In summary:
    1. Bad form by ShopBack on that data breach, but appropriate steps were taken
    2. This particular issue is likely a result of account compromise - either from reusing passwords across websites, or re-using the original password after the ShopBack data breach
    3. In this case - the fraudster bought the vouchers with debit/credit card, and a chargeback should be sought

    • jimpappa on 20/11/2025 - 09:41
      +1

      ShopBack only started services here in NZ about 2 years ago right? So that breach shouldn't have compromised NZ users.

      • mpc on 25/11/2025 - 18:50

        Yes they only started the NZ site then but you could still use the Aus ShopBack site for some NZ retailers. There's a big thread on Oz Bargain about the whole ShopBack security breach. It was pretty shocking and I seem to recall their response at the time was pretty crap.

        Given their history it would be good if ShopBack provided a few more details that are of a general nature. If the account was compromised then they should still know exactly what time the vouchers were purchased, how they were purchased (debit/credit card/ShopBack credit or whatever) and ideally what IP address the user was coming from for the purchase or when they logged in.

        • Alan6984 on 25/11/2025 - 22:49
          +1

          Yep - loads of us were members on the Aussie site long before they had an NZ version.

  • Didntknowya on 26/11/2025 - 00:44
    +2

    this makes no sense from a cybersecurity point of view. it’s more likely OP’s card or device was compromised and someone bought vouchers on their shopback account. are there kids in the house?

Login or Join to leave a comment
Login Join