Last Friday, Australians learned of a coordinated cyberattack aimed at several major superannuation funds: AustralianSuper, Rest, Hostplus, Insignia Financial, and Australian Retirement Trust.

These were not isolated or opportunistic incidents. They were methodical credential stuffing campaigns aimed at high-value pension drawdown accounts, exploiting reused passwords across services. For Secure ISS and our customers, this is more than a reminder to stay vigilant. It is a call to strengthen your cybersecurity approach with practical, layered protection.

What Happened: Coordinated Credential-Based Attacks

At the core of the attack was credential stuffing, a technique where cybercriminals use stolen login credentials from past breaches to access unrelated systems. It is a tactic that relies less on technical sophistication and more on the common habit of reusing passwords.

In this case, attackers:

• Targeted pension-phase accounts, which allow easier lump sum withdrawals
• Likely used stolen credentials from past data breaches and stealer malware logs
• Exploited ongoing financial stress and confusion, particularly among older Australians, to make phishing attempts more believable

Multi-Factor Authentication (MFA) is a crucial control, but not a complete solution. If users approve fraudulent prompts, or attackers exploit other weaknesses such as social engineering or SIM swapping, MFA can be bypassed. A mature cybersecurity posture addresses both the technical and human elements of risk.

Secure ISS Perspective: More Than a Checklist

At Secure ISS, we help businesses and institutions move beyond a compliance mindset. Frameworks like the ACSC’s Essential Eight are foundational, but protection does not end there.

Resilient organisations:

• Detect threats early, including exposed credentials, before they can be exploited
• Combine technical controls with staff awareness
• Communicate clearly and confidently during incidents

Today we are focusing on detection and protection of your team’s access to the critical services that keep your organisation running.

Dark Web Monitoring: Knowing What Has Been Exposed

Credential stuffing works because many people reuse passwords across services. Attackers often obtain these passwords through stealer malware, which captures credentials saved in browsers or devices.

Secure ISS offers dark web monitoring that includes access to these stealer malware logs. This allows our customers to:

• Identify passwords that have already been exposed
• Prompt users to change these credentials before they are used in an attack
• Understand their true level of risk across other platforms and services

Tools like Atlantis AIO are now used to automate credential attacks across more than 140 platforms. Super funds may have been targeted first, but they will not be the last.

Balancing Protection With Practicality

For the Public:

• Check Your Account and Monitor Activity – Log in to your account if the service is available, and review recent transactions. Be aware that some providers may have taken systems offline temporarily.
• Be Cautious With Emails and Messages – Do not click on links in emails or text messages, even if they appear to come from your super fund. Go directly to the official website or call a number you know is legitimate.
• Do Not Reuse Passwords – If you have used the same password for your super account and any other services, change them now. Use a password manager to help generate and store strong, unique credentials. Knowing which passwords are “burnt” gives you the chance to:
  • Change them immediately
  • Avoid reusing that same password across services
  • Strengthen your security posture before the next wave of automated attacks
• Stay Alert for Scams – Attackers often exploit uncertainty. Be wary of urgent messages or calls offering to help. If something does not feel right, contact your fund directly.

For your Business:

• Mandatory MFA applied uniformly, but backed by clear education and phishing simulations.
• Credential exposure monitoring using dark web tools to detect breached credentials before attackers do.
• Account segmentation particularly for high-risk pension-phase accounts.
• Behavioural anomaly detection because not all threats come with warning signs.
• Communication strategies that are timely, calm, and clear, avoiding the trap of oversharing technical details that attackers could use.

Resilience Over Compliance

This event is another reminder that cybersecurity must be dynamic and people-centred. Frameworks like the Essential Eight provide a common language, but only layered controls and active monitoring can keep pace with the threat landscape, particularly as AI-powered cyber threats evolve throughout this year.

Credential stuffing may seem low-tech, but it is one of the most effective tools attackers have, and it is growing more sophisticated and automated every day.

At Secure ISS, we help our customers reduce risk before it becomes a breach. That means combining real-time threat intelligence, dark web monitoring and clear user education.

Concerned your organisation may face similar risks to those seen in the recent super fund attacks? Have a read here and get in touch. We are always open to a calm, confidential and considered conversation on how to strengthen your cybersecurity posture.

References:

https://www.abc.net.au/news/2025-04-04/superannuation-cyber-attack-rest-afsa/105137820
https://www.cyberdaily.au/security/11940-hackers-target-aussie-pensioners-in-major-super-fund-cyber-attack