What happened
In early 2025 several Australian superannuation funds β including AustralianSuper and Rest β were hit by a coordinated credential-stuffing campaign, in which attackers used stolen passwords to access member accounts; a reported ~A$500,000 was withdrawn from a number of accounts before the funds locked access [sbs-super] [cyberdaily-super]. The number of members affected was not officially quantified and is not estimated here.
Timeline
- 2025-03/04 β Coordinated attack on multiple super funds disclosed; some funds withdrawn [sbs-super].
Current status
Disclosed; funds tightened access controls and regulators engaged. Figures are as reported. [cyberdaily-super]
Why it matters
A reminder that reused passwords β not a fundβs own systems β can expose retirement savings, and that one campaign can hit an entire sector at once.