Key Points
- Iconic customers have flooded the retailer's Facebook page with complaints of fraudulent orders — some up to $1,000.
- The online retailer, which claims it wasn't hacked, has promised to refund customers.
- Customers' accounts with The Iconic were reportedly accessed using stolen logins from other accounts.
Online retailer The Iconic has promised to refund customers whose accounts were used to place fraudulent orders, leaving some thousands of dollars out of pocket.
Angry customers have recently inundated the retailer's Facebook page with stories of fraudulent purchases and expressed frustration at a lack of response from the brand.
Customers complained that purchases of more than $1,000 had been taken from their accounts, with ABC reporting some orders went as far back as November.
The popular retailer has said that, while it wasn't directly hacked, there has been an increase in fraudulent attempts to log in to customer accounts, a practice known as 'credential stuffing'.
"We are working with all customers to address these incidents, which are not a result of a data breach at The Iconic," a spokesperson said in a statement on Tuesday.
"Our teams are also proactively intercepting unauthorised access attempts and cancelling any fraudulent orders made, in addition to providing customers with full refunds for any successful orders made that have been dispatched."
So, how do you know if you're vulnerable to falling victim to a similar attack, and how can you protect yourself?
What is credential stuffing?
Some customers have expressed confusion as to how the orders were placed when the retailer doesn't store bank card details.
The Australian Cyber Security Centre (ACSC) defines credential stuffing as a type of hack whereby cyber criminals "use previously stolen passwords from one website and try to reuse them elsewhere".
People who use the same password across multiple websites are most vulnerable to this type of cyber attack.
Iconic customers complained that they received confirmation emails of orders not placed by them. They said their accounts were charged and the order was dispatched to a nondescript postal address.
How do you protect yourself from credential stuffing?
The ACSC recommends multi-factor authentication — in which two or more different actions are used to verify identity — as the best defence against credential stuffing.
The two actions can be a combination of something you know, like a password, and a second layer like an authenticator-generated PIN or facial recognition which makes it harder for someone else to break into your account.
The use of password managers can also help prevent credential stuffing, as a unique login is created for each account, so hackers won't be able to use stolen data for another site.
It's unclear how many customers or accounts were compromised, or how many fraudulent orders from The Iconic were made by the hackers in the recent attack.
Swinburne University marketing lecturer Jessica Pallant said organisations had a duty to protect customer data, which she said was a borrowed asset.
“Customers own their data and have a right for their data to be protected. Organisations need to understand that customer data is a borrowed asset," she said.
"Our research shows that these kinds of breaches can negatively impact customer trust if the brand is not transparent in how they communicate and solve the issue from here.”
The National Anti-Scam Centre was created in response to the pervasive issue of scamming in general, which cost Australians $3 billion in 2022.
