Many popular Australian high-profile fashion, food, and entertainment companies are currently undergoing a cyberattack, with breached user accounts being used to purchase goods online. At least 15,000 users are believed to have been affected so far, with the number still growing as of at the time of this article. Companies said to be involved so far include The Iconic, Guzman y Gomez, Binge, Dan Murphy’s, and TVSN.
The cybercriminals are using a technique called “credential stuffing”. This involves taking previously stolen passwords from one website and trying them on other websites. Anyone who uses the same password on multiple websites, and who does not use Multi-factor Authentication (MFA), can then fall prey to the cybercriminals.
In the current attacks, the cybercriminals are looking for anyone who has used a site’s option to streamline purchases by remembering credit, debit, or gift card details, meaning they can then purchase goods using the breached account.
Lists of stolen passwords are easily purchased from the Dark Web.
How to protect yourself
Change your passwords for Australian retail sites
If you think one of your accounts might be caught up in this attack, change the password immediately. Not all retailers are involved, but a password change is never a bad thing.
Check if any of your passwords have been stolen
You can use the free website haveibeenpwned.com to see if any of your accounts have been caught up in any major breaches. Just enter your email address and it will check it against the lists of known stolen accounts using data collected from the Dark Web. However, it is not a definitive list, and you should always change any password you think might have been caught up in a breach, whether Have I Been Pwned lists it or not.
NEVER re-use passwords
If you do re-use passwords across multiple websites, get online right now, and make them all unique. And “unique” does not mean using the same password with a different number on the end!
We recommend using a password manager app. Most of these can create extremely strong passwords for you, store them securely, and then automatically insert the correct information whenever you need to login. Many will sync across multiple devices. This means you can have a password like “97ltUxs&0R^OH5ac9KRZ” for a website, and never have to remember it, or type it in. Just make sure your password manager’s master password is either extremely strong, e.g. use a long, hard to guess pass phrase, or use a biometric login such as a fingerprint reader.
Use MFA wherever is it available
MFA means that even if a cybercriminal obtains one of your passwords, they can’t use it to login. You can read more about MFA here.
Avoid offers to store credit/debit/gift card details on websites
Many websites offer this as a convenience option to streamline future purchases. If you really don’t want to type in card details each time (the safest option), use verified operating system features, password manager apps, banking apps, or similar, to securely store your card details, and make entering them easy.
Be ready to move to passkeys
Passkeys are an upcoming technology which securely replace using a password to login. Without passwords, attacks like credential stuffing cannot work. Look out for our upcoming article on passkeys, and what they will mean for you.