Australian telco Optus has been hit by a cyberattack that could have exposed the personal details of up to nine million customers.

Information that may have been exposed includes customers' names, dates of birth, phone numbers and email addresses, Optus says.

For some customers, addresses and ID document numbers such as driver's licence or passport numbers have been exposed.

Brett Callow, a threat analyst with NZ-based security firm Emisoft, told the Herald he had sighted a dark web post that offers for sale the alleged names, email addresses and phone numbers of 1.1m Optus customers for sale.

The breach involved current and former customers, Optus chief Kelly Bayer Rosmarin told Australian broadcaster ABC.

The Sydney Morning Herald quotes "well-placed sources" who say up to nine million customers have been affected, but Optus has yet to put a figure on it.

Rosmarin said the telco was working with "high-risk" customers and law enforcement agencies.

"Optus is simply the latest in a long list of corporate behemoths which have experienced a serious data breach," Emisoft's Callow said.

The data stolen in incidents such as this can be used for phishing and to commit identity fraud, meaning one crime can result in many, Callow said.

"Many recent high-profile breaches have been the result of employees' identities being compromised, and that's something companies really need to up their defences against.

In the case of the recent Uber breach, the "Lapsus$" hacker group gained access to several of the rideshare company's systems after stealing a third-party contractor's credentials. (Uber says no customer data was lost. Lapsus$ is known for compromising systems for bragging rights or other non-commercial reasons.)

"Using phishing-resistant multi-factor authentication is probably the single biggest thing a company can do to bolster its defences," Callow said.

He had seen no indication of who was responsible.

Our advice for New Zealanders who may by concerned about the incident.

Cert NZ advice

Rob Pope, head of the Government's Computer Emergency Response Team (Cert NZ), told the Herald: "We understand, payment details and account passwords have not been compromised."

His agency's advice for New Zealander's concerned about the incident:

• Individuals and businesses should be aware that the information that may have been exposed could be used to access your account or create fake accounts under your name. Businesses should also note that this could lead to fake invoicing.
• We strongly urge everyone to turn on two-factor authentication and, if possible, use a code-generating authenticator app rather than a text message code.
• Be aware that scammers may use this incident to conduct further scams, including sending malicious links via text message.
• If you notice any suspicious activity on accounts linked to Optus, immediately let Optus and Cert NZ know via 0800 CERT NZ or our website.