Incident: The Iconic promises refunds after a spate of fraudulent transactions on customer accounts | ABC News Australia
Australian Retail Breach, 09 January 2024
Australian retailer The Iconic, promises refunds after a spate of fraudulent transactions on customer accounts
While not directly hacked, the unauthorised third party used a technique known as ‘credential stuffing’
Company Statement: SUSPECTED UNAUTHORISED ACCESS
Source: The Iconic promises refunds after a spate of fraudulent transactions on customer accounts | ABC News Australia
View more incidents relating to Retail sector.
Update 11 Jan 2024: Customers of The Iconic at risk of being defrauded due to lack of payment verification measures | ABC News Australia
the online retailer also confirmed that a transaction “may be made” as it does not require a customer to verify their CVC numbers.
Online retailer The Iconic has vowed to refund customers who have been left out of pocket by thousands of dollars after their accounts were compromised and fraudulent orders were made without their permission.
Many customers have been left out of pocket by thousands of dollars and have struggled to contact The Iconic and get a timely response. The Iconic confirmed affected customers would be compensated.
The Iconic’s response stated says it has not been the victim of a cyber attack, but rather a credential stuffing attack, where hackers use leaked email and password combinations from other sites. The company vows to refund affected customers.
Credential stuffing attacks are possible because many users reuse the same username/password combination across multiple sites. This type of cyberattack in which the attacker collects stolen account credentials, typically consisting of lists of usernames or email addresses and the corresponding passwords (often from a data breach), and then uses the credentials to gain unauthorized access to user accounts on other systems through large-scale automated login requests directed against a web application.
As part of this investigation, we are working closely with expert cyber security partners to assess the impact of the incident. We have notified law enforcement authorities including the Police and the Australian Cyber Security Centre, as well as the Office of Australian Information Commission (OAIC). This investigation remains ongoing.
