Some of Australia’s biggest brands have been hit with a credential stuffing attack affecting thousands of customers around the country.
Updated 17/1/24: Clarified that no Binge customers credit card details had been compromised and added comment from a company spokesperson.
Scammers, based in Australia are thought to have purchased compromised account details from overseas hackers and used the usernames, emails and passwords to purchase iPhones, clothing and almost $800 worth of top-shelf alcohol with strangers’ money. The details were revealed by the Sydney Morning Herald.
Dan Murphy’s parent company Endeavour Group, confirmed that its customers had been the victims of credential stuffing fraud in recent weeks.
“A small number of user accounts were subject to fraudulent transactions as a result of email and passwords; these were obtained through unrelated third-party breaches and not due to our internal systems being compromised,” a spokesman said.
“Our team took immediate action and has been working with affected customers.”
Binge confirmed that no customer credit card details had been compromised.
“BINGE customers remain unaffected by credit card scams including the one reported by Kasada and no credit card details have been compromised. Credit card details are managed off-platform as part of the comprehensive cyber security systems we have in place. Our customer accounts are monitored 24/7 for cyber activity that may compromise accounts and we have advanced systems in place to block, re-set customer accounts, and notify affected customers, ensuring minimal risk,” said a spokesperson for the streaming service.
Home shopping network TVSN and Event Cinemas were also hacked. TVSN confirmed that a “small number” of customers had been affected and it had contacted those who suffered.
“In communications on this issue, TVSN has reminded its customers of the importance of ensuring that they have a strong, unique password for each different website or account that they hold,” the spokeswoman said.
No TVSN customer credit card information had been accessed, she said.
A spokeswoman for Guzman y Gomez said the company does not save customer credit card details and “uses advanced monitoring for such attacks and proactively takes action to defend against cyber criminals to protect our guests, including notifying users of suspicious activity”.
A spokeswoman for Event Cinemas said the company had “not experienced recent transactions or activity inconsistent with past trends” but would follow up on the issue with cybersecurity firm Kasada which detected the hacking.
The news follows hackers compromising the accounts of THE ICONIC customers last week. Kasada founder Sam Crowther said that hackers were engaging in a “concerted, targeted effort to hit Australian businesses who haven’t had to deal with this before.
“In the past few weeks, the level of activity has gone mental, and it is still going on. While we remain a soft target the problem will get worse.
“The modus operandi of these guys is to purchase the biggest amount you can as quickly as possible before it can be noticed or stopped,” said Crowther.
Suffering a cyberattack could lead to near-irretrievable damage to a brand’s reputation. Optus, which last year suffered a more serious form of attack than these credential stuffing attempts, still has not fully recovered.
