The Iconic: NZ, Aus online retailer suffers 'credential stuffing' data breach - here's what an expert wants you to know

Stock image of a hacker overlaid with The Iconic logo and screengrabs of customers' claims on Facebook
Photo credit: Getty Images / The Iconic / Facebook

One of New Zealand and Australia's leading online fashion retailers is the latest business to fall victim to a data breach that compromised their shoppers' accounts.  

The Iconic, a popular Sydney-based online fashion, beauty and lifestyle retailer, was recently subjected to an attack by an unauthorised third party that accessed a number of its customers' accounts - some of whom had their saved payment methods fraudulently charged thousands of dollars.

In a statement published to its website, the company confirmed the data breach was not the result of hackers accessing its internal systems, but was instead the work of a third party using a technique known as 'credential stuffing'.

In a nutshell, 'credential stuffing' is when an unauthorised third party obtains login credentials - email addresses and passwords - from other compromised websites, using the likes of phishing, malicious software or from databases available on the dark web. The third parties know many customers use the same login credentials across multiple sites and as a result, they can use the obtained information to access their accounts on other online platforms.  

"Where the compromised email address and password combination was the same as an Iconic account, unauthorised access may have occurred," the company said. "The unauthorised third party used login credentials sourced through data breaches on other compromised website/s that are unrelated to The Iconic."

The Iconic has confirmed the third party may have accessed and/or modified customers' names, mobile numbers, stored credit, any stored or previously delivered addresses, and the last four digits of saved credit cards. For some accounts, the unauthorised third party may have changed the email address and password, it added.  

A number of affected customers have taken to The Iconic's social media to air their complaints, with one shopper claiming her credit card was charged $521.99. Another last week said she lost AU$1300 as a result of the attack.

Newshub spoke to cyber-security expert Alastair Miller, a principal advisory consultant at Aura Information Security, to get some insight into 'credential stuffing' and how online shoppers can protect themselves. 

What is credential stuffing and how did it happen to The Iconic?  

In layman's terms, 'credential stuffing' occurs when an attacker obtains credentials, such as logins and passwords, that have been compromised from a previous breach, Miller told Newshub.

"They will use them against another website in the hope that the same password has been used for multiple websites. It's quite a common and easy way for hackers to get in," Miller said.

However, Miller noted that credential stuffing was not the only issue at play. As the retailer's payment system was "not very secure", the breaches also resulted in fraudulent orders being placed using affected customers' saved payment methods.

"Once the attackers had access into customers' accounts, the payment system was not very secure, which meant they could fraudulently charge the saved payment methods," Miller said.  

In its statement, The Iconic confirmed that payment details cannot be stolen from a customer's account due to a third-party payment processor, which means the full credit card number, expiry date and CCV are not stored within The Iconic's accounts or systems.

However, it noted that some customers would have had fraudulent orders charged to their saved cards - with Miller telling Newshub some shoppers would have been "thousands of dollars" out of pocket.

What can customers do if they are victims of credential stuffing?  

"Unfortunately, once an attacker has successfully used credential stuffing to access your account, there are limited things you can do," the expert told Newshub.   

"Prevention is the best way to protect yourself.  Most of the responsibility is on the website provider to put in protection to make it harder for attackers to keep trying various credentials to gain access.  

"In the case of The Iconic, the company has said it will refund impacted customers – so it's best to check your account and get in touch with them to organise a refund if you see any unusual charges on your account or credit card."

In Monday's statement, the retailer confirmed it will attempt to cancel any fraudulent orders prior to shipping and if fraudulent activity has been identified, the affected customer will be refunded.

All customers are encouraged to change their passwords.

How can customers keep themselves safe from credential stuffing or similar attacks?  

"The best protection against credential stuffing is to use a unique password for each website that you use, especially if it contains financial or sensitive data. This stops credentials from one breach being reused by an attacker," Miller advised.  

"Use a website such as to check whether any of your email accounts have been caught up in a breach. If an email address does appear, make sure you change your passwords ASAP.  

"Multi-Factor Authentication (MFA), if it is available, is another key tool to avoiding credential stuffing. A lot of retailers, banks, and even social media platforms now give you the option to enable MFA. You should definitely activate this whenever possible."  

The Iconic itself is encouraging its customers to remain alert for suspicious links and attempts to solicit personal information, such as by email, phone, text or post, or any scams where the sender or caller claims to be from the company.  

"Our customer service team will never call, text or email you asking for sensitive personal information such as your credit or debit card details; for your password; to send or receive funds using cryptocurrency; to meet via a video conferencing service; or to connect to your personal device through remote access," it said.  

The company is also urging its shoppers to regularly update their passwords with strong combinations, avoid re-using the same password across multiple websites and platforms, and review their account purchase history and bank statements for any unexplained transactions.  

What can The Iconic do in response to heighten safety for its customers?

"The Iconic can strengthen its access control by making the minimum password requirements at least 12 characters. At the same time, it should remind users to reuse a unique password and store that in a password manager," Miller said.

"They should also consider offering Multi-Factor Authentication (MFA) to users. This reduces the odds of credential stuffing attacks being successful, as it means that account holders need to approve the login through a secondary means, such as an access code or text message.  

"The Iconic also needs to strengthen the security around payments to ensure that another form of validation is done before payment is processed. This was the main failing that caused some customers to lose thousands of dollars."