Australians are waking up to the news that 32,000 banking passwords from several of the major Australian banks have just been discovered for sale on the dark web.

https://www.abc.net.au/news/2025-04-29/australian-bank-customers-passwords-stolen-by-malware-hackers/105196976

IMMEDIATE ACTION TO TAKE

Don’t panic, just immediately change your password if you are a customer of the Commonwealth Bank, ANZ, NAB or Westpac.  Please please please…

• !! Do not change it to a password you already use elsewhere, or have used before

• !! Choose a password that is not easily guessed.

• !! Choose a password of at least 12 characters length, preferably more. 

!! If you do not have two-factor authentication (or are unsure whether you have it) then do not read any further before changing your password!!

What to know about Two-factor Authentication

It is less urgent to change your password if you already use two-factor authentication, but I recommend you still change it as a precaution.  Two-factor Authentication (“2FA”) is also known as Multi-factor Authentication (“MFA”).  Two-factor authentication requires you to provide a second way of verifying your identity.  If you are using a web browser to log in to your bank then this Two-factor Authentication usually involves an app on your phone that prompts you to confirm that you are indeed trying to log in, or a PIN being sent to your phone that you then enter into the website.  If you use a banking app on your phone or tablet then the two ways of confirming your identity are usually that (1) you have your phone with you and you have previously confirmed your identity by PIN or password when first turning the phone on, and (2) the camera recognising your face.

What has happened?

As of the time of this article the news has just broken, so like any breaking news, further details will likely emerge.  It’s even possible that some details may be updated and/or corrected.

The ABC News article says that these 32,000 passwords will have been stolen over a period of time since 2021. Currently, it is unclear how long these stolen passwords have been available for sale on the dark web, and hence whether and how long criminals have started using these stolen passwords to try to steal money from bank accounts.

SECOND ACTION TO TAKE

Login to your banking account or go to your banking app and check to see if everything looks OK.  I.e. Check that your balances are as you expect them to be, and that there are no transactions (particularly large withdrawals) that you cannot explain.  If something does not look right, then immediately contact your bank.

I will keep abreast of this breaking news story, and plan to write more about it in the coming days.

THIRD ACTION TO TAKE

Whether or not you have been a victim, you should use malware detection software to detect malware on all your PCs, tablets and phones.

Fortunately, by default, Microsoft Windows, macOS and Android have integrated malware detection. Ensure this is enabled. iPads and iPhones are protected from malware by their inherent design. There are also a variety of third-party malware detection software worth considering, which offer enhanced detection of advanced threats, more frequent updates and broader malware coverage. Use your favourite search tool or AI assistant to find out the most highly recommended tools.

Beware that no malware detection software detects 100% of malware. It is a continuous cat and mouse game, with criminal hackers creating new malware and malware detection software being continually updated to keep pace.

IF YOU HAVE BEEN A VICTIM

If you know for sure that you have been a victim, then it is worth spending some time trying to figure out why you were infected with infostealer malware. While there's a very small chance that there was nothing you could do, the vast majority of malware infections are preventable.

Do you immediately install software updates when prompted that they are available? This article (written for small businesses, but equally relevant to individuals) explains why this is so important.

Are you using an old device that is no longer supported with security updates? Manufacturers only support their devices for a few years.  Exactly how long depends on the manufacturer and the type of device, cheap brands being typically the shortest (and often not the most thorough).  Phones and tablets tend to have a significantly shorter support life than macOS on Macs and Microsoft Windows on PC’s. Could you have clicked on a button or link that you didn't fully read and understand before clicking?

The Australian Cybersecurity Centre personal cybersecurity guides may also help you figure out what went wrong, and also give you tips for the future.