In April 2025, several major Australian superannuation funds were hit by a coordinated cyberattack, leading to unauthorized access of member accounts and significant financial losses, which left many account holders concerned.
What’s surprising is they didn’t break through firewalls or crack complex encryption. Instead, they used a sneaky but increasingly common tactic called credential stuffing, wherein they used previously stolen usernames and passwords from Aussies to gain access to the accounts.
So, what exactly is credential stuffing? Why should you be concerned about it?
What is Credential Stuffing?
Credential stuffing is when cybercriminals take stolen usernames and passwords from one website and try them on other websites. This tactic relies on the common habit of people reusing the same login details across different platforms.
Here’s how it works:
- Hackers obtain a list of usernames and passwords, usually from a previous data breach.
- They use automated software, called bots, to try logging into other sites like banks, email accounts, shopping websites, or superannuation portals.
- If someone reused the same password on multiple sites, the attackers gain access.
In this case, attacks most probably used a massive list of leaked credentials from other global data breaches and tested them against user accounts on the superannuation platform.
42% of Australians Reuse Passwords Across Online Accounts. That’s a problem
We all know people love reusing old passwords because they’re easy to remember and prevent you from always clicking that ‘Forgot password’ button. Right?
Aussies sure love them, in Proofpoint’s 2020 report, they found out that 42% of Australian working adults use the same password across multiple accounts. In fact, 25% of Australia respondents rotate the use of five to 10 passwords.
If one of these passwords ends up in a data breach and you still reuse it, guess who can get hacked with credential stuffing? YOU!
How to Protect Yourself from Credential Stuffing
If you know that your data has been involved in a data breach in the past, you are a prime target for further attacks using credential stuffing. Here are some things you need to do immediately to prevent future harm:
- Avoid reusing passwords. Credential stuffing attacks exploit reused passwords. If one of your passwords is leaked in a data breach, attackers can use automated tools to try that password across multiple sites. Using unique passwords for each account can prevent a single breach from compromising multiple accounts.
- Use a password manager. Password managers help you create and store strong, unique passwords for each of your accounts. This makes it easier to avoid reusing passwords, which is crucial in defending against credential stuffing attacks. With a password manager, you only need to remember one master password, while the tool handles the rest.
- Enable multi-factor authentication (MFA). Multi-factor authentication adds an extra layer of security by requiring additional verification methods beyond just your password. Even if an attacker obtains your password through credential stuffing, they would still need the second factor (like a code sent to your phone) to access your account, significantly reducing the risk of unauthorized access. In the case of the attack on Super groups, new stories say MFA wasn’t available to the members as a login option.
- Check if your credentials have been leaked. Websites like Have I Been Pwned allow you to check if your email or password has appeared in known data breaches. Regularly check them and if you see your credentials there, then it’s time to think of a new combination you’ll most likely forget at some point again.
What’s the latest news on the attack?
The Australian Prudential Regulation Authority (APRA) and Australian Securities and Investments Commission (ASIC) are engaging with all potentially impacted superannuation funds to support safe outcomes for members.
If you are concerned about potential impacts from the attack, the Australian Government’s trusted source of cyber security advice – cyber.gov.au – has information on simple steps you can take to protect yourself online.
