Super theft: check your super, check your password is unique

Cybercrims are targeting Australian super accounts and more than $500,000 has been lost in a recent sting - here's what you need to do to secure your super

Apr 06, 2025

You’d think robbing someone’s superannuation would require a mastermind thievery, cat burglars, vault codes or maybe a Tom Cruise cameo. Nope.

Turns out all it takes is a list of old passwords from the dark web, a few bots, and - hey presto - at least half a million stolen so far.

Retirement savings: gone faster than dignity during karaoke night

Australian superannuation funds have been hit by a coordinated cyberattack. Real money has been nicked and personal data has been compromised, according to the Australian Financial Review.

Share Dueto - for women over 45

And all because people in the superannuation industry - who collected $32 billion in fees during 2023 - said, “Eh, SMS verification should be fine.”

The funds are being cagey about releasing details, but reporting so far says the breach targeted people who had already reached ‘preservation age’ and could access their money or lump sum.

Panicked super fund members then overwhelmed the bad superannuation login systems, so some people saw they only had $0 in their account, which funds say is an error and will be corrected.

That’s a big oopsie. One that proves the superannuation industry - who collect way more in fees each year than our toll road providers - needs to step up.

Ever since my son had his first home deposit stolen by PEXA fraudsters, I have been investigating what I’m calling digital bank robbery - and it’s scary.

I had no idea that overseas organised crime syndicates were targeting Australians for their lucrative real estate and superannuation wealth - we lost $2 billion last year and are likely to continue losing more because our systems are all a little bit, well, shit.

Check your super - and secure it with a strong password and multi-factor authentication

So make sure you do your own super check to discover:

a) it’s all there - every cent of it. If it’s not, report it to your fund AND the police straight away.

b) your employer is putting in the right amounts each month (there is new ‘payday’ super rules coming next year to make sure super is paid at the same time as your wage - right now it’s usually only paid monthly or quarterly).

c) your super fund has strong enough security in place with multi-factor authentication (not just SMS authentication, which can easily be breached)

d) you have a unique password, passkey or a paid password protection software like 1password or BitWarden in place. Try to use a ‘phrase’ like Woodstock-loves-hippies-2025* rather than traditional passwords like Woodstock123!.

e) try not to use browser-based password solutions to remember your passwords, as cybercriminals can target these to steal logins using what’s known as ‘session cookie theft’.

f) if you really need to write down your passwords, then don’t do it in a notebook stored near your devices - pop them in a cookbook or down the bottom of a pair of shoes rather than risk a thief coming across the passwords that are literally the keys to your bank account.

You need to reign in your own breached data for super safety

This wasn’t some elite squad of international cybercriminals deploying never-before-seen tools. This was known as a credential stuffing attack.

That’s a fancy way of saying hackers took passwords and email addresses that were already leaked from other breaches—maybe years ago, maybe from shopping sites, newsletters, or loyalty programs—and then used automated systems to try logging into people’s super accounts in the middle of the night.

Why then? Because most of us are asleep, and unlikely to respond to alerts or verification requests.

If the credentials worked, the attackers changed the phone number linked to the account, giving them control over SMS-based two-factor authentication (2FA). In some cases, that was enough to allow withdrawals from accounts—especially for members in the pension phase who are legally allowed to access their super.

What you can do right now

You can check if your details are doing the rounds by using Troy Hunt’s Have I Been Pwned website or the Avast Leak Check.

Best practice is for financial service providers to use biometrics (fingerprint) or at least multi-factor ID through an authentication app like Google Authenticator. (Using SMS text messages for codes is no longer secure enough.)

If your details are circulating the web and your fund doesn’t have multi-factor authentication in place, then ring them and demand to know why.

You can always change super funds, but this ALSO puts you at risk of fraudsters setting up fake accounts or stealing your money.

CHOICE did this story about super scams, with the general approach from fraudsters being:

Criminals claiming they can help you get your superannuation early. These crims get to know you over the phone and then steal your super once they have your vital login and account details.
Criminals claiming they can set you up a lucrative self-managed superannuation fund (SMSF) but then stealing all your money while sending you false statements. This was how Melissa Caddick committed her frauds.
Melissa’s victims have now reached a settlement getting back around half of what she stole from them (mostly by setting up fake SMSF funds that never existed).

Funds that were hit by the cyberattack

Funds - and the Australian Superannuation Funds Association - are not being transparent about what happened, but the AFR says at least 5 big names were affected:

AustralianSuper – 600 accounts were targeted, $500,000 lost across four pension-phase members. The same fund that has just been destroyed for taking months to pay out super death benefits. AustralianSuper has now said it will refund the members who lost money. One person in the pension phase lost $406,000.

This is the message Aussie Super fund members got when they tried to login after the cyberattack hit the news.

“We have now thoroughly investigated the incidents in which money was transacted out of a member’s account and all of those are being remediated. Remediations will be made from fund reserves,” AustralianSuper told the AFR.

REST – Around 8000 members’ personal info accessed; no financial losses reported.

Australian Retirement Trust (ART) – Less than 200 accounts impacted, no financial loss.

Hostplus – Confirmed suspicious activity, still investigating.

Insignia (MLC Expand platform) – Around 100 accounts affected, but no money lost.

Cbus/Media Super - Reported to Apra “an unusually high spike in log-in attempts, which occurred several days after the cyber-attack that impacted other super funds.” 85 accounts are being investigated.

The funds say they acted quickly once the suspicious activity was noticed, locking accounts and alerting authorities. But for some members, it was too late.

Let’s see if the funds try to blame the victims, like the banks do when there is financial crime through authorised payment frauds …

Mass scale - spray and pray phishing - is a nightmare

Artificial Intelligence has made it a cinch for crims to group large amounts of breached data from multiple sources together to target people and find out how often they re-use passwords.

When I scroll Insta or Facebook, I am hit with ads urging me to ‘compare my super’ to check it’s doing OK - DO NOT EVER ENTER YOUR SUPER FUND DETAILS INTO ONE OF THESE ADS!!!

Crims use these types of online tools to harvest your data and mix it with any other breached data about you they can get your hands on (and given that Optus, Medibank and other large companies have breached data recently, there’s alot of info floating around).

I will try to leave you smiling, not scared

Super is still one of the best ways to save your money in a tax sheltered environment.

Don’t abandon it! Just demand better security from your fund (and change your password to something tricky - not one that you use for Netflix or Amazon).