DraftKings
October 2, 2025
•[ credential stuffing ]
Credential stuffing allowed unauthorized access to a small number of customer accounts and limited data; company says internal systems not breached and no financial loss.
Individual retail investors using Japanese online brokerage platforms
April 5, 2025
•[ credential stuffing, account abuse ]
Between April 58 2025, foreign criminal actors compromised login credentials of Japanese retail investors and placed unauthorized securities trades through online brokerage portals; Japans Financial Services Agency and police launched an investigation into coordinated credential-stuffing and account abuse.
AustralianSuper
April 1, 2025
•[ account takeover, credential stuffing, theft ]
Hackers used stolen credentials to access about 600 AustralianSuper accounts in a coordinated campaign targeting Australias superannuation funds; small monetary thefts reported.
Rest Super
April 1, 2025
•[ credential stuffing, account takeover ]
Rest Super confirmed credential-stuffing attempts compromising some member accounts as part of coordinated April 2025 campaign; no losses disclosed.
Insignia Financial
April 1, 2025
•[ credential stuffing, data leak ]
Insignia Financial confirmed attempts to access customer portals using stolen credentials during April 2025 campaign; extent of compromise under investigation.
Hostplus
April 1, 2025
•[ credential stuffing ]
Hostplus reported limited unauthorized logins to member accounts linked to credential-stuffing attacks on multiple Australian superannuation funds in April 2025.
GS Shop
February 13, 2025
•[ credential stuffing, data leak ]
Credential-stuffing led to extraction of ~1.58M GS Shop customer records (21-06-2024 to 13-02-2025); financial data not affected; GS Retail blocked offending IPs, urged password changes, and launched a security task force.
