Security experts have found almost 100 compromised login credentials for staff at Australia’s Big Four banks.
Cyber intelligence firm Hudson Rock identified the stolen credentials through multiple data giveaways and illicit data sales tracked across the dark web and messaging platform Telegram.
The credentials reportedly belonged to contractors or current and former staff, and used corporate email addresses with domain names such as “anz.com.au” or “cba.com.au”.
"There are around 100 compromised employees that are related to those four banks," Hudson Rock analyst Leonid Rozenberg told ABC News.
The findings follow research by Sydney-based firm Dvuln that at least 30,000 Australian consumer banking passwords were exposed over the last four years.
While Hudson Rock’s findings relate to only a fraction of this number, Rozenberg suggested the stolen staff credentials may pose a much greater risk.
"Technically, [attackers] need only one [log in] to do a lot of damage," Rozenberg said.
He added that exposed staff credentials could allow hackers to gain “initial access” and break into the banks’ systems, with a compromised staff account being akin to an “open gate”.
Rozenberg further told ABC News that once a hacker had used a stolen staff login, they could commit further damage by installing ransomware and stealing customer data en masse.
Old data, current risk
Notably, Hudson Rock’s findings did not come from a single data leak or dark web post but instead related to multiple sightings between 2021 to and April 2025.
While the firm did not respond prior to publication when asked for more details about the timeframe of its findings, it told ABC News the approximate 100 staff credentials were harvested by “infostealer” malware which had been planted on employee devices.
Infostealer malware works by siphoning valuable data (such as login passwords, credit card details, browser history and cryptocurrency wallet keys) and sending it to a central server where stolen information is typically stored in bulk.
With the malware often designed to be distributed indiscriminately, stolen data can lie dormant on an infostealer server until it is convenient for a hacker to sell their harvest, leading to situations where high-value credentials wind up sold among other, less valuable data.
While both multi-factor authentication and strong password policy can reduce the chance of account compromise, Jamieson O’Reilly, founder of Australian information security company Dvuln, told Information Age password resets don’t remove the threat of persistent attacks.
“If you're not analysing full device exposure, you're not closing the door,” said O’Reilly.
Hudson Rock also found stolen credentials belonging to third-party businesses which service the Big Banks, with Rozenberg suggesting hackers were not only targeting the access to banks, but also the services which banks are using externally.
ABC News reported the firm found more than 40 leaked third-party credentials relating to Commbank, more than 30 for Westpac, more than 100 for ANZ and more than 70 for NAB.
"[Attackers] also know that if they get inside the JIRA, or Salesforce, or Slack, the communication system that is widely used by different companies … they can get a lot of sensitive information," Rozenberg said.
Banks not safe from infostealers
Earlier this week, Dvuln reported at least 30,000 Australian consumer banking passwords had been siphoned by infostealer malware since 2021.
The Australian Signals Directorate (ASD) explained infostealers can be distributed through SMS and email phishing attacks, malicious downloads, false advertisements and pirated or cracked software, among other means, and further recommended awareness training as one of its leading mitigation measures.
While Australian consumer credentials appear significantly more vulnerable than their corporate counterparts, O’Reilly explained even high-security companies can be made vulnerable by infostealers.
“While Dvuln’s recent research focused on infostealer infections impacting everyday Australians – not corporate credentials – we work with organisations far more complex and in some cases more mature than the Big Four Banks,” said O’Reilly.
“One of our clients, a firm managing billions in digital assets, experienced an infostealer infection on a staff member’s home device.
“Despite the company promptly resetting the user's password, we demonstrated how an attacker could have used stolen authentication tokens and other data from that device log to laterally access sensitive customer environments.”
When asked whether any recent data breaches had impacted staff credentials, NAB chief security officer Sandro Bucchianeri told Information Age the bank continuously monitors “open and dark web sources” for a wide range of potential threats, including compromised credentials and malware.
“Colleague and third-party credentials are changed regularly as standard and NAB has a number of controls in place to detect and prevent unauthorised access,” he said.
“Where threats are identified, including compromised credentials, we take action.
“This can include blocking accounts, changing credentials and advising the colleague or customer about how to protect themselves.”
A Westpac spokesperson likewise affirmed the bank had security measures in place to prevent unauthorised access to its systems in instances where employee details may have appeared online.
An ANZ spokesperson said the bank uses “a range of recognised industry practices, technologies, processes and defences including the education of our staff and customers, in collaboration with industry and government and a 24/7 security operations centre” to defend against cyber incidents.
CommBank did not reply prior to publication.
