OMG my super just got hacked – what now?
Don't panic! The risks are increasing, here's what you need to know.
COVID made super a dinner table topic, thanks to early access measures.
And now the news of a sophisticated cyber attack on that perceived fortress - superannuation funds - has many of us chatting over the table about super again.
After all, we've always been promised it was impossible for anyone to steal our super.
But now they have.
Here's what happened in the first week of April 2025:
- A cyber attack was launched on a number of super funds including Australian Super, Australian Retirement Trust, Hostplus, Insignia Financial, REST Super Friday 4 April 2025.
- CBUS Super also disclosed a breach after that initial wave of attacks.
- The scammers used leaded credentials on the dark web to access members' accounts
- Only Australian Super members had monies stolen, totalling around $500,000. The fund has committed to replenishing those members' monies from its reserves.
- A lack of multi-factor authentication (MFA) (such as responding to a confirmation text after signing in) has been blamed for enabling access to the scammed accounts.
Who else is impacted by this attack?
While only a few Australians were impacted this time around, anyone whose existing website logins have been leaked onto the dark web can potentially be a victim of an attack. That's especially the case if you use the same password for different accounts. (I know, it's so tempting, but as this incident shows, the risks are enormous.)
Find a better super fund
Take our easy quiz to find a better match for you.
None of us knows for sure if our details have been leaked, so it's safer to assume this includes you and to take precuations.
What are the authorities doing?
The Association of Superannuation Funds Australia (ASFA) says it is working to improve security measures, but what that involves at the time of writing is unclear.
However, you don't need to wait for the authorities to take action; you can improve your own security right now.
3 things you should do to protect your super account right now
- Change your password for your super account, making it unique to just your super. Do not re-use the same one that you use for your banking, or for anything else
- Implement MFA on your super account if your fund offers it. This could involve confirming a phone number, or using an authentication app which runs on your phone. Your provider can explain what options available.
- Be wary of anyone purporting to be from your super fund. If you receive an email or a phone call from your fund, do not give them any sensitive details. Phone your fund, using the phone number available on their website, to confirm if they were actually trying to get in contact with you.
Finder's editor-at-large and tech geek Angus Kidman has some more tips here.
If you're worried your super fund doesn't offer MFA, you may want to consider switching super funds.
Disclaimer: This information is general and does not take into account your individual objectives, financial situation or needs. Before making any financial decision, consider your own situation and seek independent expert advice.
Ask a question