The malware, which silently infects computers and smartphones, harvested sensitive login data and funnelled it straight to hackers — putting Australia’s biggest banks on high alert.

The cyber intelligence firm Hudson Rock told the ABC it found dozens of compromised staff credentials at both ANZ and Commonwealth Bank, and fewer than five at NAB and Westpac.

Despite the breach, the big four banks insist their systems are locked down with strong defences to block unauthorised access, even if staff credentials fall into the wrong hands.

The latest leak comes after it was revealed the stolen passwords of more than 31,000 Australian banking customers are being shared among criminals online, earlier this week.

Dvuln founder Jamie O’Reilly said this isn’t just an corporate problem, and instead believes it’s a “public health-style cyber issue”.

“Every infected consumer device becomes a potential bridge not just into our financial system but the corporate systems we use every day,” he said.

Here’s what it means for you—and how to protect your personal information.

WHICH BANKS WERE HACKED?

Earlier this week it was revealed the stolen passwords of more than 31,000 Australian banking customers are being shared among criminals online.

An investigation by Australian cybersecurity company Dvuln found the credentials of at least 14,000 CommBank customers, 7000 ANZ customers, 5000 NAB and 4000 Westpac customers can be obtained on messaging platform Telegram and the dark web.

Dvuln founder Jamie O’Reilly said the passwords were stolen directly from users’ personal devices after becoming infected with a type of malware known as an “infostealer”.

Mr O’Reilly said some of the 31,000 devices were infected as far back as 2021, but would still provide valuable data to attackers.

“There is an entire criminal supply chain behind this. One group builds the malware. Another group distributes it,” he said.

“Then logs are sold to brokers. Those brokers test credentials and sell verified access to ransomware or other cybercrime gangs. It’s an entire economy.”

HOW CAN YOU KNOW IF YOU’RE EXPOSED?

Jon Soldan, CEO of payment fraud prevention platform Eftsure, suggests checking out Have I Been Pwned or Eftsure’s Data Checker Tool but also urges caution.

“These databases aren’t comprehensive and most services only check for email addresses associated with leaked or stolen data,” he said.

“It’s crucial to remember that infostealer malware can lift all kinds of personal data, which may or may not be traded as part of a dataset that includes email addresses.”

There are also a number of signs to look out for, including:

• Unexpected 2FA prompts when you didn’t try to login.
• Password resets you didn’t initiate.
• New locations or devices in your account history.
• Bank logins from interstate or overseas.
• Look for unrecognised logins, sudden password reset prompts, or unusual activity.
• Small, unauthorised transactions (fraudsters often test with low values first).
• Emails from services warning about sign-ins or password changes.

WHAT CAN YOU DO TO STAY CYBER SAFE?

Mr Soldan said the safest approach is to assume you’ve been impacted and make sure any stolen passwords are useless to cybercriminals. “That means basic protections like using a password manager and turning on multi-factor authentication wherever possible, especially across your most important logins: those used for financial accounts, work-related systems, or primary email accounts,” he said.

Mr Soldan said organisations should be on high alert too.

“With so many employees accessing work resources from personal devices, there’s a big risk of stolen credentials being used to infiltrate corporate systems – not just your own workplace’s systems but those of your suppliers and partners,” he said.

“We regularly see cybercriminals posing as trusted contacts and suppliers to trick staff into making fraudulent payments. That means your business can lose millions even if none of your passwords or systems were compromised.

“Again, the best defence is ensuring stolen passwords don’t help cybercriminals get what they want (money). Lower your scam risks by making sure employees only have access to the data and systems that are absolutely necessary for their jobs. Help employees know the warning signs of a scam through regular, tailored training.”

Mr O’Reilly said there are some free tools online such as Hudson Rock’s cybercrime intel tools that allow users to enter their usernames/emails to check if those have been found in similar data sets but says they are not 100 per cent accurate.

“Just because a users’ credential is not in these tools doesn’t mean they are not infected,” he said.

“The best measure is a layered one. It’s not about panicking more about a refreshing wake-up call that you need to stay vigilant and practice good cyber hygiene.”

TIPS TO PROTECT YOURSELF

Mr O’Reilly said this isn’t about only running antivirus or changing your password and hoping for the best.

He said that “era is over” and that if you’re hit by an infostealer, your device is compromised.

1. Financial segregation of devices

“Have a clean device. If you’re dealing with money – banking, investments, tax – use a machine that’s never touched a game, torrent, or a free movies app.”

2. No Roblox, Minecraft, or mods on finance machines

“If your kids are using a computer, make sure it’s not the one that has access to your financial life. This is the equivalent of not writing your bank PIN on a sticky note beside your front door. Yet it’s happening in thousands of homes every day.”

3. Assume your machine is compromised if you’ve ever downloaded cracked software

“If you’ve ever installed pirated Adobe, free games, or software activators, you’re not just running a risk – you’re already likely compromised.”

4. Set a device policy in your household

“Just like you don’t let your kid drive your car without a licence, don’t let them install whatever they want on the family laptop. It’s not just their risk anymore – it’s yours.”

More Coverage

Australia’s biggest banks on high alert.

Maria Bervanakis and Levi Joule

‘Not going to go away’: Virginia Giuffre’s haunting final note

Emily Macdonald

Originally published as Bank logins leaked: What Australians need to know and how to stay safe