The Australian Federal Police are watching the dark web and internet forums after reports that stolen Optus data could be sold online.
A post on the website BreachForums claims to have sold the data, which includes email addresses, dates of birth, first and last names, phone numbers, drivers' licenses, and passport numbers.
The dataset referred to hasn't been verified by Optus, the police, or intelligence agencies, but some numbers have been verified by journalists.
A police spokesman told the ABC that the stolen Optus customer data and credentials could be sold through a number of forums, including the dark web.
It is an offence to buy stolen credentials online with a penalty of up to 10 years' imprisonment.
Kelly Bayer Rosmarin, the company's chief executive, said on Friday that the company was aware of reports that Optus data was being sold online.
One of the challenges when you go public with this kind of information is that you can have a lot of people claiming that you are claiming a lot of things, Bayer Rosmarin said.
There is nothing that has been validated and for sale that we are aware of, but the teams are looking into every possibility. On Saturday, Optus was not willing to comment on the post citing advice from the police.
The AFP is coordinating with the AFP because this is now a criminal investigation, the spokesperson said.
Optus will not comment on the legitimacy of customer data claimed to be held by third parties, and urges all customers to exercise caution in their online transactions and dealings as a result of the investigation.
We apologise. Some cyber experts warn against the dangers of data being sold online, as it could be an attempt to capitalise on media attention.
Optus is still in touch with all customers implicated in the cyber-attack.
Optus has also advised customers to be very vigilant online and be careful of scams.
We have been advised that our announcement of the attack is likely to trigger a number of claims and scams from criminals.