Multiple major Australian superannuation funds have fallen victim to a sophisticated cyberattack that has compromised thousands of member accounts and resulted in confirmed financial losses.
Cybersecurity experts have identified the attack as a coordinated OAuth token manipulation campaign coupled with advanced credential-stuffing techniques targeting API vulnerabilities in the funds’ member portals.
According to Sky News, cybercriminals have successfully breached the security defenses of at least five major superannuation funds, including AustralianSuper, REST, Hostplus, Australian Retirement Trust, and Insignia Financial’s MLC Expand, which appears to be the largest coordinated attack on Australia’s retirement savings system.
.png
)
Security Breach Affecting Major Pension Providers
The attack, which began during the weekend of March 29-30, 2025, exploited CVE-2024-7821 vulnerabilities in the authentication frameworks used across the industry.
AustralianSuper, the nation’s largest superannuation fund, confirmed that hackers used more than 600 stolen passwords to access member accounts.
“Over the past week, we have seen a spike in suspicious activity across our member portal and mobile app and we are urging members to take steps to protect themselves online,” stated Rose Kerlin, AustralianSuper’s chief member officer.
The Australian Financial Review reports that some members have already experienced unauthorized withdrawals from their retirement savings.
REST superannuation has identified approximately 20,000 affected accounts, representing one percent of its membership base.
CEO Vicki Doyle explained, “We responded immediately by shutting down the Member Access portal, undertaking investigations and launching our cyber security incident response protocols.”
The attack vector appears to have utilized SQL injection techniques specifically targeting database vulnerabilities in the fund administration systems.
Cybersecurity investigators have determined that the attackers executed their campaign during early morning hours to prevent members from immediately noticing session hijacking alerts and password change notifications.
The attackers deployed a sophisticated MSSQL.Injector code that circumvented standard WAF (Web Application Firewall) protections.
Code captured from the attack reveals the hackers utilized the following exploitation sequence:
The National Cyber Security Coordinator has been activated to coordinate the response, with initial forensic analysis suggesting the attack originated from a distributed botnet utilizing compromised credentials from previous data breaches.
Member Protection Measures
Affected funds have implemented emergency countermeasures, including temporarily restricting platform functionality.
“Our Cyber Security team is actively working to apply additional monitoring and mitigations to protect customer accounts,” stated Liz McCarthy, CEO of Insignia Financial’s MLC Expand.
This is a regular issue.” However, he promised the government would “respond in time” with appropriate measures.
Super Consumers Australia CEO Xavier O’Halloran expressed alarm at the breach: “This is people’s financial future at risk. And the details and extent of this attack are still emerging.”
Members of affected funds are strongly advised to immediately enable two-factor authentication, reset passwords across all financial services, monitor account activity, and report any suspicious transactions.
Industry experts recommend using password managers and unique credentials for each financial service to prevent future credential-stuffing attacks from succeeding.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try 50 Request for Free
