After many years of reporting on cybersecurity, there’s an often-repeated phrase that I want focus on: cybersecurity is a team sport. The premise is that everyone has a role to play in effective cybersecurity. It’s not just about technical experts and complicated software and hardware solutions. It’s also about user behaviour. But I also think there’s a lack of accountability that needs to be addressed.
In April 2025, a number of people discovered that their superannuation balances (like a 401(k) retirement fund for those in the USA) had been cleared. For some of the victims of this crime, it amounted to hundreds of thousands of dollars.
Now, a couple of weeks later, we’re led to believe all is OK. The impacted people have all had their losses reimbursed and the funds have started explaining how the attacks took place.
The CEO of AustralianSuper, Paul Schroder, said the fund was “not hacked” but that the impacted users were the victims of credential stuffing.
“Criminals used stolen passwords and personal identity information from other sources to access accounts to commit fraud. Unlike other recent cyber incidents reported in the media over the last few years, cyber criminals did not access our systems.”
I’ll paraphrase that for you. Schroder effectively said it was not his firm’s fault this happened.
This was followed by statements by the chief executive of the Association of Superannuation Funds of Australia (ASFA), Mary Delahunty.
“While I can’t say a lot at the moment, I can say that the cyber criminals undertook a coordinated, well-funded and sophisticated attack on our system.”
This was not sophisticated and I doubt the thieves were particularly well funded. Online troves of stolen usernames, email addresses and passwords can be purchased on the dark web for a few cents each. They basically tried usernames and passwords until they had success and then proceeded to withdraw funds from accounts whenever they were able to log into those accounts. They were likely coordinated given they attacked several funds at the same time.
The risk of attacks like this can be drastically reduced in several ways. And the mitigation strategies fall into two distinct categories: things companies that hold sensitive information and funds should do, and things that consumers should do.
What should businesses do?
If you run a business that holds sensitive information or access to funds then you must make multi-factor authentication or support for passkeys mandatory.
Multifactor Authentication (MFA) requires at least two things to be provided when logging into a system. A password might be one factor while a code that’s sent to your phone or generated in an app is the second factor. This makes breaking into an account much harder for an attacker.
The Australian Signals Directorate, the government agency that is tasked with protecting the nation’s information assets, tells us to do this in its Essential Eight.
The attack on these superannuation funds could have been avoided of every customer had MFA enabled.
I mentioned passkeys as this newer form of authentication is starting to become more prevalent. This is a cryptographic authentication method that is often easier for people to use that MFA. Instead of entering a code, you provide something like a PIN or biometric like a fingerprint of face to prove your identity. The beauty of passkeys is that your actual username and password is never transmitted. The proof of identity its carried out on your device and sent to the service provider.
Businesses must take customer security seriously and properly secure accounts to minimise the risk of credential stuffing attacks.
What should individuals do?
The first piece of advice I’d give is to use a password manager and use a unique password for every online account you have. Apple’s Passwords app can create unique passwords for accounts, store them and fill them in automatically for you.
Unique passwords for every service means that if one account is compromised, your other accounts are not at risk.
If an online service offers you the opportunity to use a passkey – use it.
Finally, hold your online services accountable. If you’re establishing a new online account, check if it can be secured with either MFA or a passkey. If not, seriously consider whether the information you’ll provided to that service is worth putting at risk.
Every single person holding data and accessing online services has an obligation to make life hard for cybercriminals. That means organisations holding data (money is basically data these days with over 90% of the world’s currency no longer made of physical notes and coins) and people, like you and me, using online services have to use better precautions to protect accounts.
MFA and passkeys make life much harder for cybercriminals and should be activated by organisations and used by consumers wherever possible. Both groups have responsibility to secure user accounts and protect the data they hold.
Anthony is the founder of Australian Apple News. He is a long-time Apple user and former editor of Australian Macworld. He has contributed to many technology magazines and newspapers as well as appearing regularly on radio and occasionally on TV.