Many Australians have embraced online banking as a convenient way to manage their finances. While some appreciate the ease and speed of digital banking from home, others still feel more comfortable visiting a branch or speaking to a teller in person.
This mix of preferences reflects the broader experience of adapting to new technology. However, recent news about a significant leak of Australian bank login details might give you another reason to double-check your digital defences.
In a worrying development, the personal banking login details of more than 31,000 Australians have been found circulating on the dark web and encrypted messaging platforms, leaving thousands at risk of fraud and identity theft.
Let’s get one thing clear: this isn’t a case of hackers breaking into the banks themselves. Instead, cybercriminals target everyday Australians by infecting their devices—laptops, tablets, and smartphones—with malicious software known as ‘infostealer’ malware.
Once installed, this sneaky software quietly harvests sensitive information such as usernames, passwords, credit card numbers, and cryptocurrency wallet details, then sends it straight to the criminals.
According to Australian cyber intelligence firm Dvuln, the stolen credentials include at least 14,000 Commonwealth Bank customers, 7,000 ANZ customers, 5,000 NAB customers, and 4,000 Westpac customers.
The data is now being traded on the dark web and messaging apps like Telegram, sometimes for as little as $600 for access to hundreds of thousands of compromised devices.
The Australian Banking Association (ABA) has quickly pointed out that this isn’t a breach of their systems.
‘Keeping customers secure online is the top priority for Australia’s banks,’ said ABA Chief Executive Officer Anna Bligh.
‘They continue to invest [in] security defences to help keep customers safe, including using advanced intelligence systems to monitor both open and dark web sources for compromised customer credentials.’
But here’s the catch: because the malware infects individual devices, not the banks’ networks, there’s only so much the banks can do. If your device is compromised, your details could be stolen without you or your bank knowing.
Jamie O’Reilly, founder of Dvuln, said many attacks go unnoticed because they happen silently in the background.
‘There may be a large number of fraud attacks happening against individuals and businesses. But there’s been no public attribution because it’s very difficult to trace back to a specific malware infection,’ he explained.
Once your details are out there, the consequences can be long-lasting. O’Reilly’s team found that devices infected up to four years ago can still provide valuable data to cybercriminals.
Some criminal groups offer stolen credentials for free to attract new buyers, while others sell them in bulk. And while most attacks have targeted Windows-operating personal computers, there’s a growing trend of malware targeting mobile devices.
If a bank suspects your credentials have been compromised, it will take immediate action to secure your account and advise you on the next steps.
The Commonwealth Bank, for example, said it uses advanced monitoring to detect and block suspicious transactions in real time.
‘We use advanced intelligence systems to monitor both open and dark web sources for compromised customer credentials. We detect and block suspicious transactions in real time, have an integrated security approach combining cyber, fraud prevention, and resilience capabilities, [and] continuously adapt our defences based on real-time threat intelligence and regular testing of our security systems.’
However, the ABA pointed out that banks are not alone in their responsibility to stay safe online. Customers also need to play their part.
So, how can you protect yourself? Here are some practical steps you can take right now to reduce your risk:
- Use strong, unique passwords for your online accounts, and update them regularly. Avoid using the same password across multiple sites.
- Install reputable anti-virus and anti-malware software on all your devices, and keep it up to date.
- Be wary of suspicious emails, links, and attachments—these are common ways for malware to sneak onto your device.
- Monitor your bank accounts closely for any unusual activity. Set up transaction notifications if your bank offers them.
- Enable two-factor authentication wherever possible for an extra layer of security.
- Contact your bank immediately if you notice anything suspicious or think your details may have been compromised.
Have you ever been the victim of online banking fraud, or do you have tips for staying safe online? Share your experiences and advice in the comments below—your story could help someone else avoid becoming a victim.
Also read: Be on the alert for hidden email threats that could be lurking in your inbox!
