31,000 Australian Bank Passwords Stolen and Traded on Dark Web
In a massive security breach, over 31,000 Australians have had their banking passwords stolen through malware attacks, with the credentials now being traded openly on cybercriminal forums – sometimes for free.
The Big Four Banks Hit Hard
The stolen credentials span Australia’s largest financial institutions:
- Commonwealth Bank: 14,000+ customer credentials exposed
- ANZ: 7,000+ customer credentials exposed
- NAB: 5,000+ customer credentials exposed
- Westpac: 4,000+ customer credentials exposed
Security researchers have confirmed these passwords are being shared on Telegram channels and dark web forums, creating a genuine risk of theft for affected account holders.
This Isn’t a Bank Vulnerability — It’s on Your Device
The passwords weren’t stolen through bank security flaws. Instead, they were lifted directly from infected devices using a type of malware known as an “infostealer.”
These digital pickpockets are specifically designed to infect your computer, harvest sensitive data, and deliver it straight to criminals. They primarily target Windows computers and can capture:
- Banking passwords
- Credit card details
- Cryptocurrency wallets
- Browser cookies and history
- Autofill information
The Silent Heist That’s Exploding
Infostealer attacks have surged dramatically worldwide, with Australia now hosting over 58,000 infected devices. The Australian Signals Directorate has dubbed this threat “the silent heist” – and for good reason.
Since 2018, global infections have skyrocketed from 135,000 to over 31 million – a 200-fold increase. This flood of stolen data has driven prices to shockingly low levels, with criminals offering subscription models giving access to hundreds of thousands of compromised devices for just $626 AUD (about 1¢ per victim).
Some cybercriminal groups even give away thousands of credentials for free, using them as “samples” to attract paying customers.
Changing Your Password Isn’t Enough
If you’re worried about exposure, simply changing your password may not be sufficient protection. Security experts compare it to “changing your locks while the burglars are still in your house.”
Even multi-factor authentication (MFA) isn’t a complete shield, as malware gangs sometimes sell cookies or access tokens alongside passwords, potentially allowing criminals to bypass these extra security layers.
How to Protect Yourself
- Change passwords from a secure device: If you suspect infection, use a different, secure device to change your banking passwords.
- Keep everything updated: Up to 50% of infected devices have antivirus installed, but either the operating system or the security software isn’t current. Always run updates when prompted.
- Separate sensitive activities: Keep banking and sensitive information on a separate device from the one your children use for gaming or downloading.
- Be wary of free downloads: Infostealer infections often spread through pirated software, gaming mods (particularly Minecraft), or “cracked” programs that would typically require license fees.
- Monitor your accounts: Check your bank statements regularly for unauthorized transactions and report any suspicious activity immediately.
The Broader Threat
The average infostealer victim has 200-300 account credentials stored in their browser. Beyond banking, criminals can use these details to access:
- PayPal accounts
- International money transfer services
- E-commerce accounts with linked payment methods
While many fraud attacks linked to these breaches may be happening under the radar, security researchers emphasize that nothing is 100% unhackable — but taking these precautions can make it significantly harder for criminals to access your information.
Stay smart. Stay safe. Stay ahead with Cybercrim.com – Your digital life, defended.
