Australian pension funds hit by wave of credential stuffing attacks

Over the weekend, a massive wave of credential stuffing attacks hit multiple large Australian super funds, compromising thousands of members’ accounts.

The Association of Superannuation Funds of Australia (ASFA), Australia's advocacy body for the superannuation industry, said today that "a number of members were affected" even though the "majority of the attempts were repelled."

Reuters has learned from a source familiar with the matter that over 20,000 accounts were breached in this massive wave of attacks targeting Australia's superannuation industry, with some members reportedly losing some of their savings.

Since the weekend attacks, some of the country's largest profit-to-member superannuation funds with millions of members each and managing tens or hundreds of billions—including AustralianSuper, Hostplus, REST and Australian Retirement Trust, and Insignia Financial—confirmed that some of their members' accounts were breached in these attacks.

AustralianSuper, which manages the retirement savings of over 3.5 million members from over 472,000 businesses, totaling over $365 billion, confirmed that the attackers breached at least 600 accounts using stolen credentials.

"Over the past week, we have seen a spike in suspicious activity across our member portal and mobile app and we are urging members to take steps to protect themselves online," said AustralianSuper Chief Member Officer Rose Kerlin.

"This week we identified that cyber criminals may have used up to 600 members' stolen passwords to log into their accounts in attempts to commit fraud. While we took immediate action to lock these accounts and let those members know, there are things members can do right now to protect themselves online."

Rest revealed that its online MemberAccess portal was also targeted over the weekend of 29-30 March. Although it shut down the portal in reaction to the attacks, approximately 8,000 members had some limited personal information (including first name, email address, and member identification number) accessed. However, Rest says there is no evidence that the attackers transferred funds from compromised members' accounts.

Hostplus also noted that its members have lost no funds due to these attacks and that the extent of the impact on their accounts is being investigated.

While ASFA and the other affected super funds didn't share additional details on the account breaches, Insignia Financial says its Expand Platform was hit by credential stuffing attacks where threat actors use stolen credentials and automated tools to gain access to user accounts. The attackers compromised around 100 Expand Wrap Platform customers' accounts, but Insignia's ongoing investigation has not found evidence of financial impact.

"As is good practice, we encourage customers not to reuse the same credentials across multiple platforms and services, set strong and unique passphrases, and install software updates regularly to keep their devices secure," said Liz McCarthy, CEO of Insignia Financial's MLC Expand retirement platform. "We are communicating with impacted customers and their advisers and will continue to keep them updated."

HESTA and  Mercer Super, two other Australian super fund who manage savings for more than 2 million members, said they weren't affected.

On Friday, ASFA announced the establishment of a hotline connecting superannuation industry organizations, government agencies, and financial services bodies and the release of a "Toolkit" to ensure strong sector coordination as part of its Financial Crime Protection Initiative (FCPI).