HQ/EMEAFind out how we can help your business
A major wave of credential stuffing attacks has compromised thousands of accounts across several of Australia’s largest superannuation funds, prompting urgent responses from both the industry and authorities.
The attacks, which occurred over the recent weekend, targeted major funds, including AustralianSuper, Hostplus, REST, Australian Retirement Trust, and Insignia Financial. According to sources close to the investigation, over 20,000 member accounts were breached, with some individuals reportedly losing part of their retirement savings.
ASFA launched a hotline and toolkit in response to credential stuffing attacks that affected some member accounts.
The Association of Superannuation Funds of Australia (ASFA), the national body representing the industry, acknowledged that although many of the credential stuffing attempts were successfully blocked, a number of member accounts were still affected. ASFA also announced the launch of a new hotline and the release of a toolkit to assist with incident response and encourage greater coordination within the sector. These actions are part of its broader Financial Crime Protection Initiative.
AustralianSuper, which manages over $365 billion in assets for more than 3.5 million members, confirmed that at least 600 accounts had been accessed using stolen credentials. The fund detected an increase in suspicious activity across its member portal and mobile application. Swift action was taken to lock the affected accounts and notify impacted individuals. Members have been urged to strengthen their online security by avoiding reused passwords and enabling multi-factor authentication where possible.
REST Super revealed that its online MemberAccess portal was targeted over the weekend of March 29 to 30. Although the portal was shut down in response, around 8,000 members had limited personal information, including first name, email address, and member ID number, accessed by the attackers. REST has stated that there is no evidence of any funds being transferred from the affected accounts.
Insignia Financial also confirmed its Expand Wrap Platform was impacted, with around 100 customer accounts compromised through credential stuffing. While investigations are ongoing, there is no current indication of financial loss. Hostplus, another affected fund, said no member funds were lost and that it is continuing to assess the situation.
Meanwhile, HESTA and Mercer Super, which together manage savings for over 2 million Australians, confirmed the attack did not impact them.
Credential stuffing remains a serious threat to online security, especially when users reuse the same passwords across multiple services. Industry leaders are reminding all Australians to adopt strong, unique passphrases and keep their devices updated to reduce the risk of such breaches.
