Please stop calling it a 'hack'. Optus left an API endpoint with the data of millions of current and former customers exposed to the public internet with no authentication required.
Then to make matters worse, they used sequential IDs so that anyone that found that API endpoint could just incrementally step through to get every user. The basics that have been ignored here are just ming boggling.
It's not a 'hack', it's the biggest privacy breach in Australian history. If you call it a 'hack' then you're saying someone had to actually put some effort into circumventing some security - any security. There was no security.
There must have been DNS records for the URL for goodness sake.
Look at the logs of any web server. There are bots crawling for any number of URLs - it's an alarming eye opener. I can assure you, the person who downloaded all this data (not a 'hacker'), was not the first person to find this endpoint. It's just that this was the first person to make a fuss about it. If we're lucky, it was just the first human that was actually able to make sense of it.
Please request a new drivers license and passport ASAP. Stay safe.