31,000 Banking Passwords Hacked in Australia

In partnership with

Dear Reader…

The proliferation of infostealer malware has reached crisis levels, with 3.9 billion credentials stolen globally in 2024 alone. These attacks, which target individuals and enterprises alike, fuel a booming dark web economy where stolen data is traded for as little as $10 per log.

The recent breach of 31,000 Australian banking passwords exemplifies the scale and sophistication of these threats. For data engineers, the stakes are high: Malware information stealers compromise not only personal devices but also corporate systems, enabling lateral movement, ransomware deployment, and financial fraud.

This week we analyse the infostealer malware ecosystem, exploring how data automation platforms can mitigate risk, and providing a playbook for securing enterprise environments.

The Threat Landscape

Anatomy of a Modern Cyber Epidemic

Infostealers are malicious programs designed to harvest sensitive data-passwords, browser cookies, financial details, and session tokens-from infected devices. Unlike overt ransomware attacks, these operate covertly, often leaving victims unaware for months. Key trends from 2024–2025 include:

• Exponential Growth: Infections surged by 115% year-on-year, with 4.3 million devices compromised globally.

• Shift in Dominant Malware Families: LummaC2, Stealc, and RisePro replaced RedLine as the top infostealers, accounting for 68% of infections.

• Credential Theft as a Service: Malware-as-a-service (MaaS) models democratise attacks, with subscriptions costing $200–$250/month114.

Case Study: The Recent Australian Banking Breach

Between 2021 and 2025, infostealers infected devices belonging to customers of Australia’s “Big Four” banks: Commonwealth Bank, ANZ, NAB, and Westpac. Unlike a single, centralised breach, this incident was the result of thousands of individual infections, each caused by infostealer malware installed on personal devices.

Attackers distributed the malware primarily through

• phishing emails

• malicious SMS messages

• fraudulent software downloads

Once installed, the malware covertly harvested sensitive data-including banking passwords, browser cookies, and autofill information-directly from victims’ browsers and applications.

The scale of the breach was unprecedented in Australia. More than 31,000 banking credentials were stolen, with over 14,000 belonging to Commonwealth Bank customers, 7,000 to ANZ, 5,000 to NAB, and 4,000 to Westpac. The stolen data was not only limited to banking information; in many cases, the malware also exfiltrated email logins, social media credentials, and even cryptocurrency wallet details. Cybercriminals then aggregated these credentials and sold them on dark web forums and encrypted Telegram channels. Some logs were offered as free samples to attract buyers, while premium access to larger troves of data was sold via subscription models, sometimes for as little as $10 per log or $400 per month for bulk access.

This incident highlights a broader and deeply concerning trend in cybercrime: the industrialisation of credential theft and personal data trading. The breach was not the result of a single point of failure, but rather a systemic issue driven by the widespread use of infostealer malware and the commodification of stolen data. For enterprises and individuals alike, the case underscores the urgent need for robust endpoint security, automated credential management, and continuous monitoring to detect and respond to such threats before they escalate into financial loss or reputational damage.

How Data Automation Platforms Mitigate Infostealer Risks

1. Automated Threat Detection and Response

Infostealers evade traditional defences by mimicking legitimate processes (e.g., chrome.exe --remote-debugging-port). Data automation platforms counter this through:

• Real-Time Behavioural Analysis: Machine learning models baseline normal user activity, flagging anomalies like sudden spikes in data exports or unauthorised credential use.

• Playbook-Driven Containment: Upon detecting infostealer signatures (e.g., Lumma’s %AppData%\LummaC2\config.txt), automated systems isolate infected endpoints, revoke session tokens, and trigger password resets.

2. Dynamic Access Control and Credential Management

Infostealers exploit static permissions and stale credentials. Automation addresses this via:

• Just-in-Time Access: Tools like Azure AD Privileged Identity Management grant temporary privileges, minimising the window for credential theft9.

• Automated Password Rotation: APIs integrate with LastPass Enterprise or HashiCorp Vault to reset compromised credentials enterprise-wide within minutes.

• Session Token Invalidation: Systems like AWS IAM auto-revoke tokens after unusual activity (e.g., logins from new geolocations).

3. Enhanced Visibility and Audit Compliance

Dark web markets thrive on undetected breaches. Automation platforms provide:

• Unified Logging: Aggregate data from endpoints, cloud services, and firewalls into SIEM systems like Elastic Security, enabling correlation of infostealer activity across vectors.

• Dark Web Monitoring: Tools like ID Agent scan underground forums for leaked corporate credentials, triggering automated resets.

Your job called—it wants better business news

Welcome to Morning Brew—the world’s most engaging business newsletter. Seriously, we mean it.

Morning Brew’s daily email keeps professionals informed on the business news that matters, but with a twist—think jokes, pop culture, quick writeups, and anything that makes traditionally dull news actually enjoyable.

It’s 100% free—so why not give it a shot? And if you decide you’d rather stick with dry, long-winded business news, you can always unsubscribe.

Check it out

Data Engineer’s Playbook: Securing Against Infostealers

1. Endpoint Hardening and Monitoring

• Deploy EDR Solutions: Use Microsoft Defender for Endpoint or CrowdStrike Falcon to block infostealer processes and memory injections.

• Enforce Application Allowlisting: Restrict execution to signed binaries, preventing infostealers like Lumma from launching.

• Monitor Browser Artifacts: Track access to browser SQLite databases (e.g., Chrome’s Login Data file), a common infostealer target.

2. Identity and Access Management (IAM) Automation

• Implement Passwordless Authentication: Replace passwords with FIDO2 security keys or Windows Hello for Business to eliminate credential theft risks.

• Automate Access Reviews: Use Okta Workflows to deprovision inactive accounts monthly, reducing attack surfaces.

3. Secure Development Practices

• Shift-Left Security: Integrate SAST/DAST tools like Checkmarx into CI/CD pipelines to detect vulnerabilities before deployment.

• Containerise Sensitive Workloads: Isolate credential-heavy processes in Docker or Kubernetes, limiting infostealers’ lateral movement9.

4. Incident Response Preparedness

• Pre-Build Forensic Playbooks: Automate memory dump collection and VirusTotal submissions using Palo Alto Cortex XSOAR.

• Conduct Red Team Exercises: Simulate infostealer campaigns to test detection rates and response efficacy.

The Future of Infostealer Defence

As infostealers evolve, data engineers should consider:

• Zero Trust Architectures: Continuously validate device health and user identity before granting access.

• AI-Powered Threat Hunting: Deploy tools like Darktrace to detect novel infostealer TTPs (tactics, techniques, procedures).

• Collaborative Threat Intelligence: Share IOCs (indicators of compromise) with ISACs to disrupt malware distribution networks.

The Last Word…

The Australian banking breach underscores a universal truth: infostealers are not just an IT problem but a systemic risk requiring engineered solutions. By leveraging automation for threat detection, access control, and response, data engineers can transform enterprise security postures from reactive to resilient. In an era where one in four cyberattacks originates from infostealers, the time to act is even more relevant.

That’s a wrap for this week

Happy Engineering Data Pro’s