Thousands of Australians’ Banking Details Stolen in Cyberattack

More than 30,000 Aussies have had their banking details compromised and leaked online, according to a new report from Australian tech security firm, Dvuln — and it's got security experts pretty worried.

The compromised data, collected over the past four years, isn’t from a major hack into banks themselves. Instead, criminals used something called "infostealer malware" to swipe the information directly from people's personal devices — like phones and laptops — without them even knowing.

Dvuln’s research shows that the banking details found online are just a "fraction" of what’s likely out there. In fact, they found information from 10,000 customers of one major bank alone sitting on "infostealer logs" — shady online spaces where hackers buy, sell, and trade stolen data. Another bank had 5000 customer details exposed, and yet another had 4000.

Customers from Australia's big four banks — Commonwealth Bank, NAB, ANZ, and Westpac — were all caught up in the leak.

While multi-factor authentication (MFA) — that extra step when you log into your bank app — is now standard, Dvuln warns that it’s not a silver bullet. Once infostealer malware is on your device, it can harvest login credentials before you even get a chance to punch in a verification code.

"The infections targeted individual user devices and harvested their credentials, rather than compromising banking infrastructure directly," the report explained. They’re now calling for a coordinated effort between banks, government, cybersecurity experts, and the public to help close the gap between device compromises and financial abuse.

Dvuln also highlighted that infostealer malware is one of the "most pervasive yet underreported threats" facing Australia’s financial sector right now.

The Australian Banking Association’s CEO, Anna Bligh, confirmed that this issue comes from personal devices being hacked — not from any breach inside the banks themselves.

"Keeping customers secure online is the top priority for Australia’s banks," Bligh said. Banks are constantly monitoring both the open and dark web for compromised credentials, and if they find anything suspicious, they jump into action to lock down accounts and warn customers.

Commonwealth Bank is also urging customers to stay vigilant: create strong, unique passwords (and change them regularly), keep anti-virus software up-to-date, monitor account activity closely, and set up transaction alerts to catch anything unusual early.

Meanwhile, a spokesperson from the Australian Signals Directorate (ASD) — part of Australia's national security network — said they’re working hard to fight off cybercriminals targeting Australians.

“Cybercriminals use information-stealing malware to get their hands on valid user credentials, then sell or exploit them for money,” the ASD said. They warned that stolen credentials can be a dangerous tool for hackers to gain access to even more targets.

To put the scale of the cybercrime problem into perspective, the ASD received over 87,400 cybercrime reports in 2023–24 — and identity fraud topped the list.

Bottom line: Even if your bank is secure, your personal device might not be. Keeping your software updated, using strong passwords, and being suspicious of weird links and downloads are more important than ever.

Would you like me to also give you a quick checklist to stay safer online?

More updates to come on AusNewsLanka.