It’s a well-worn axiom in cybersecurity circles that criminals don’t hack – they log in. They do this by stealing usernames and passwords or other information that enables them to impersonate victims.
On 19 August 2025, major Retail Service Provider iiNet reported that it has been the victim of a cyberattack. Criminals infiltrated the company’s ordering system. And it’s reported that the criminals used phishing (a fake email that looks legitimate) to steal log in credentials. The same method was used in an attack on TPG Telecom – iiNet’s parent company according to software development company Airteam per a report at Cyber Daily.
The good news is that identity documents such as drivers license and passport are not retained by iiNet so that data is safe. Nor are credit card details or other payment information.
About 280,000 customers are impacted with iiNet saying:
…a list of email addresses and phone numbers was extracted from the iiNet system. The list contained around 280,000 active iiNet email addresses and around 20,000 active iiNet landline phone numbers, plus inactive email addresses and numbers. In addition, around 10,000 iiNet usernames, street addresses and phone numbers and around 1,700 modem set-up passwords, appear to have been accessed.
Five things you can do to minimise the risk of your online accounts being hacked
Given most attackers don’t hack their way into systems but simply log in, protecting your user accounts is critical. Most, but not all, cyber criminals are opportunistic. By making life harder for them, they are more likely to move on and try another target.
The attack on iiNet might not result in iiNet user accounts being hacked. But the information could be used to hack other systems and services. Some basic user account hygiene can minimise the risk of that happening.
1 – Unique, strong passwords: Every user account you have should have a unique password. Better yet, a unique username is a good idea as well. By using a combination of Hide my Email and Apple’s Passwords app (older version of macOS/OS X use Keychain Access) you can create a unique email address and password for every user account. And because it’s all managed within Passwords or Keychain Access you don’t need to remember anything. It’s all stored securely for you and synchronised between devices via your Apple Account.
2 – Use Two-factor or multi-factor authentication: Use Two Factor authentication (2FA) and Multi-Factor Authentication (MFA) to add an extra layer of protection to a username and password. Typically, this is a one time code that is either generated by an app like Microsoft Authenticator or Google Authenticator (business users might use tools such Duo, Okta or something similar), or sent to you via text message or email. So, even if a hacker manages to guess your username and password, they would need that extra code, or factor, to log in.
3 – Use Passkeys: Passkeys are an alternative to passwords. Instead of a password, a cryptographic key is sent from the person logging in to the system they are accessing instead of a username and password when signing into website. When you use Sign in with Apple and are asked for TouchID or FaceID, you’re actually using a passkey. For a criminal to access your account, they would need one of your devices and your biometric to log in.
4 – Don’t accept defaults: If you’re setting up a new router, security camera or any other connected device, do not keep the default passwords. While they may seem unique, there have been instances where the method used to generate the seemingly random default password on devices has been reverse engineered, giving criminals unauthorised access to everything from home security cameras to entire networks. And if a service provider creates a password for you – change it.
5 – Find and fix weak accounts: One of most useful tools in Apple’s Passwords app is that it highlights account that either have weak passwords or that have been implicated in past data breaches. In the Passwords app, tap on Security and you’ll see a list of accounts with weak or compromised passwords.
Anthony is the founder of Australian Apple News. He is a long-time Apple user and former editor of Australian Macworld. He has contributed to many technology magazines and newspapers as well as appearing regularly on radio and occasionally on TV.