Consumers are being urged to check if their information has been stolen as Australia emerges as a “happy hunting ground” for cyber criminals after several high-profile data leaks.

Reports emerged this week that criminals are targeting thousands who have shopped with brands like Dan Murphy’s and The Iconic by using stolen data to access their accounts and spend up big.

The practice, known as “credential stuffing”, is being fuelled by millions of people having their personal information exposed in hacks of companies like Optus and Medibank, according to Geoff Schomburgk, a local cyber security executive with global authentication giant Yubico.

He said criminals see Australia as a “happy hunting ground” following the huge corporate hacks because it made personal data readily available to criminals looking to commit financial fraud.

“[The data breaches have] been on a massive scale. Millions of user credentials have been leaked out onto the dark web,” Schomburgk said.

“The information is out there and the cost of getting access is relatively cheap.”

Hackers ‘maximising’ stolen data

Cyber security company Kasada exposed the most recent spate of fraud earlier this week, with thousands of reports about people having their accounts compromised using information that had been stolen in other corporate hacks, including personal data and passwords.

Customers with companies like Dan Murphy’s, The Iconic, Event Cinemas, Binge, Guzman y Gomez and shopping network TVSN have all been affected, according to Kasada’s reports.

Edith Cowan University senior lecturer Dr Mohiuddin Ahmed said hackers are trying to “maximise” the financial gain from stolen log-in credentials by attempting to use them to access other accounts.

“If someone uses the same credentials that are in the hands of hackers via a data breach, it is highly likely that hackers will attempt to use those credentials to access different online accounts, such as social media, e-commerce and personal financial institutions,” he explained.

“[They] will have a field day if there’s no multi-factor authentication in place.”

Reports have emerged in recent days of Australians having purchases worth more than $1000 made on their online shopping or entertainment accounts, while leaked messages between fraudsters revealed by Nine Newspapers show criminals bragging about huge purchases.

Schomburgk said Australia has been caught unprepared by the waves of cyber crime that have hit major companies and households over the past year, initially through high-profile hacks of Optus and Medibank, and now as the consequences of that data being stolen become clear.

“We are giving away our basic identity information pretty much everywhere … the average person has well over 60 online accounts,” he said.

“You can simply buy that information on the dark web.”

How to protect yourself

The first thing you need to do to protect yourself from credential stuffing is check whether any of the passwords or log-in details you use have been compromised in the past.

The best way to do this, according to Ahmed, is to visit haveibeenpwned.com, which is a database of information that has appeared on dark web marketplaces after being stolen.

Ahmed also has some more general advice that can help prevent you from becoming a victim.

“It is imperative to always use a stronger password or even better a passphrase together with multi-factor authentication, especially for data breach victims,” he said.

Australians that use the same password across multiple services or businesses are also more vulnerable to credential stuffing because data stolen from one company could be used to compromise your account with another.

That means ensuring that your passwords are always unique is helpful, with Schomburgk explaining that third-party password managers can be useful to help manage details.