Raaga
December 15, 2025
•[ data leak, unauthorized access, credential stuffing ]
Raaga confirmed that an unauthorized party accessed a legacy database and that the extracted user data was later advertised for sale on an underground hacking forum during December 2025. Reporting described the exposed dataset as affecting more than 10.2 million user accounts and including personal and account-related fields such as names, email addresses, usernames, hashed passwords, and account creation dates, with partial location data in some cases. The company stated it secured the relevant access points tied to the exposed system, reset passwords for impacted accounts, and implemented additional monitoring while working with cybersecurity specialists and notifying law enforcement. Even without payment data, the combination of emails and password hashes creates elevated risk of credential stuffing, targeted phishing, and account takeover.
DraftKings
October 2, 2025
•[ credential stuffing ]
Credential stuffing allowed unauthorized access to a small number of customer accounts and limited data; company says internal systems not breached and no financial loss.
Individual retail investors using Japanese online brokerage platforms
April 5, 2025
•[ credential stuffing, account abuse ]
Between April 58 2025, foreign criminal actors compromised login credentials of Japanese retail investors and placed unauthorized securities trades through online brokerage portals; Japans Financial Services Agency and police launched an investigation into coordinated credential-stuffing and account abuse.
AustralianSuper
April 1, 2025
•[ account takeover, credential stuffing, theft ]
Hackers used stolen credentials to access about 600 AustralianSuper accounts in a coordinated campaign targeting Australias superannuation funds; small monetary thefts reported.
Rest Super
April 1, 2025
•[ credential stuffing, account takeover ]
Rest Super confirmed credential-stuffing attempts compromising some member accounts as part of coordinated April 2025 campaign; no losses disclosed.
Insignia Financial
April 1, 2025
•[ credential stuffing, data leak ]
Insignia Financial confirmed attempts to access customer portals using stolen credentials during April 2025 campaign; extent of compromise under investigation.
Hostplus
April 1, 2025
•[ credential stuffing ]
Hostplus reported limited unauthorized logins to member accounts linked to credential-stuffing attacks on multiple Australian superannuation funds in April 2025.
GS Shop
February 13, 2025
•[ credential stuffing, data leak ]
Credential-stuffing led to extraction of ~1.58M GS Shop customer records (21-06-2024 to 13-02-2025); financial data not affected; GS Retail blocked offending IPs, urged password changes, and launched a security task force.
