Millions of Australians Urged to Change Passwords After Major Super Fund Hack

The Australian Securities and Investments Commission (ASIC) has issued an urgent call for financial firms to immediately enhance their cyber resilience standards as of May 11, 2026. This directive comes amid a rapidly evolving threat landscape where artificial intelligence is being used to accelerate security risks across the financial sector. The regulator identifies cyber-attacks, data breaches, and inadequate operational resilience as critical issues that undermine market confidence and threaten the retirement savings of millions of Australians.

This renewed focus on security follows a series of significant cyber-attacks that targeted the Australian superannuation sector, most notably in late March and early April 2025. During that period, several major funds were forced to respond to coordinated 'credential stuffing' attacks. This method involves cybercriminals using stolen login details from previous third-party breaches to attempt unauthorised access to superannuation accounts, rather than a direct breach of the funds' core systems.

AustralianSuper, the nation's largest superannuation fund with A$365 billion in assets under management as of April 2025, was among the most prominent organisations affected. The fund identified that up to 600 member accounts had been accessed using stolen passwords. While the core systems of the fund were not breached directly, the exploitation of member credentials led to fraudulent activities that highlighted systemic vulnerabilities in member-facing security protocols.

Financial Impact and Member Losses

The financial impact of these breaches was significant for the individuals involved. Four members of AustralianSuper collectively lost A$500,000 from their retirement savings due to fraudulent activities. Although the fund subsequently reimbursed all affected members, the incident underscored the vulnerability of the A$4.2 trillion superannuation sector to sophisticated fraud.

Rest Super also reported a substantial impact during the initial wave of attacks detected over the weekend of March 29-30, 2025. Approximately 20,000 members, representing about 1% of the fund's total membership, were affected by unauthorised online activity. In these instances, personal information was potentially accessed, prompting widespread calls for members to update their security credentials. Across the broader industry, millions of Australians were urged to change their passwords as a precautionary measure to prevent further unauthorised access.

Other major institutions that detected suspicious login attempts and increased cyber activity during this period included:

• Hostplus
• Australian Retirement Trust (ART)
• Insignia Financial, the owner of MLC
• Cbus Super
• Media Super

National Cyber Security Coordinator Michelle McGuinness confirmed in April 2025 that a coordinated government response was necessary to protect the retirement sector. The Australian Taxation Office (ATO) and the Association of Superannuation Funds of Australia (ASFA) were also involved in the industry-wide effort to secure member data and mitigate the impact of the credential stuffing campaign.