Over the weekend, several major Australian superannuation funds came under a significant wave of credential stuffing attacks, compromising thousands of member accounts and triggering immediate cybersecurity responses across the sector.
The Association of Superannuation Funds of Australia (ASFA), which represents the superannuation industry nationwide, confirmed that “a number of members were affected,” though most of the malicious login attempts were reportedly blocked.
According to sources with direct knowledge of the incident, more than 20,000 accounts were accessed by attackers in what appears to be one of the largest coordinated cyberattacks targeting Australian retirement savings to date. In some cases, affected members are believed to have lost a portion of their superannuation savings.
Among the funds impacted are some of the country’s largest profit-to-member superannuation institutions, including AustralianSuper, Hostplus, REST, Australian Retirement Trust, and Insignia Financial. Each manages billions in assets and serves millions of Australians.
AustralianSuper Confirms Account Breaches
AustralianSuper, which manages more than $365 billion in assets for over 3.5 million members, reported that cybercriminals used stolen credentials to access at least 600 member accounts.
“We’ve seen a spike in suspicious activity on both our member portal and mobile app in the past week,” said Rose Kerlin, Chief Member Officer at AustralianSuper. “This week, we identified that criminals used stolen passwords to try to log into around 600 accounts. We acted immediately to lock these accounts and notified the members affected.”
The fund is encouraging all members to update their online credentials, avoid reusing passwords, and remain alert to suspicious activity.
REST Temporarily Shuts Down Member Portal
REST, another major fund, revealed that its MemberAccess portal was also targeted during the weekend attacks (March 29–30). In response, the platform was shut down temporarily to contain the breach. Initial investigations show that approximately 8,000 members had some personal data exposed—including first names, email addresses, and member ID numbers.
Despite this exposure, REST assured members that there’s no current evidence suggesting any funds were withdrawn or redirected by the attackers.
Hostplus, Insignia Financial Also Impacted
Hostplus acknowledged it was part of the broader attack campaign, though confirmed that no member funds were lost. The fund is continuing to investigate the scope of the breach and has enhanced its monitoring.
Insignia Financial reported that its Expand Platform experienced similar credential stuffing activity, affecting about 100 customers. The company confirmed that there is no sign of financial loss so far, and efforts are underway to assess the full extent of the incident.
“We urge customers to avoid reusing passwords across platforms, to adopt strong, unique passphrases, and to keep their software up to date,” said Liz McCarthy, CEO of MLC Expand under Insignia. “We are actively engaging with all impacted customers and advisers to provide support and updates.”
Not All Funds Were Affected
Two other major super funds, HESTA and Mercer Super, which together manage the retirement savings of over 2 million Australians, confirmed that they were not affected by the recent credential stuffing wave.
Industry-Wide Response Underway
In response to the growing threat, ASFA has launched a hotline designed to enhance coordination between super funds, government agencies, and financial service providers. This is part of its broader Financial Crime Protection Initiative (FCPI), which also includes a new “Toolkit” to help the industry better detect and respond to cyber threats.
The attack highlights the ongoing risk posed by credential stuffing—a tactic where hackers use previously stolen usernames and passwords to gain unauthorized access to user accounts via automated tools. It underscores the urgent need for both providers and members to prioritize digital hygiene and cyber resilience in safeguarding long-term financial security.
