Account Takeover Fraud , Fraud Management & Cybercrime , Geo Focus: Asia

Australian Retailer Blames Account Takeovers on Customers

The Iconic Says Password Reuse Led to Hacks, Plans to Refund Defrauded Customers
Australian Retailer Blames Account Takeovers on Customers
Image: Shutterstock

Australian fashion and sports retailer The Iconic has blamed careless customers for a spree of incidents that allowed hackers to access customer accounts and place orders worth thousands of dollars. The firm said customers made themselves easy targets by reusing passwords across multiple websites.

See Also: OnDemand | Combatting Rogue URL Tricks: How You Can Quickly Identify and Investigate the Latest Phishing Attacks

The Sydney-based online retailer said Thursday that an unauthorized third party had gained access to a number of customer accounts by using passwords stolen from compromised websites or obtained from the dark web.

"These unauthorized third parties know that customers often reuse the same login credentials across multiple websites or platforms. Where the compromised email address and password combination was the same as an ICONIC account, unauthorized access may have occurred," it said.

Operating since 2011, The Iconic sells products of more than 1,500 domestic and global fashion and sports brands in Australia and New Zealand. Luxembourg-based Global Fashion Group, which owns The Iconic, also runs e-commerce platforms Zalora, Dafiti and Lamoda in several regional markets.

Customers of the fashion retailer reported suspicious orders worth thousands of dollars placed from their accounts on the retailer's official Facebook page this week, and some said that hackers had used their saved payment card information in the shopping platform to place orders.

"My account was hacked over $3,000 spent, and people just showed up to my house demanding the packages that were delivered here. My family's safety is compromised," a user wrote.

"My account got hacked $4,000, and some of the products have been delivered to the person and when I go to track the parcel I can see his full name and house address! I don't believe that The Iconic is reporting this person to the police either. He lives in Kensington, Melbourne!" wrote another customer.

"What kind of a joke is this company? Our accounts have been hacked. Over $1,000 spent on my husband's card and zero updates/information being given to those affected despite many, many follow ups," wrote customer Emma Cotter.

The Iconic said customers became aware of the hack after they had received order confirmation emails or shipping notifications or when they had detected changes to the personal payment method in their account. Hackers also locked many customers out of their accounts by changing account passwords or email addresses.

The company said the hackers could place orders from compromised customer accounts by using saved payment card details but could not view or access payment information. "THE ICONIC uses a third-party payment processor, which means that the full credit card number, expiry date and CCV are not stored within ICONIC accounts, or in our systems," it said. "Payment details cannot be accessed from within a customer’s ICONIC account."

The fashion e-tailer said it is investigating the fallout from the account takeover attempts with expert cybersecurity partners and has contacted affected customers to provide specific support based on their circumstances.

"Where fraudulent orders have been placed, we will attempt to cancel the unauthorized order prior to shipping. Where fraudulent activity has been identified, we will refund the affected customer," the firm said. "We have emailed all of our customers encouraging them to change their passwords. The security of our customer's information is of the utmost importance to us, and we continue to work with our expert cybersecurity partners to protect against fraudulent activity."

The Iconic said it had reset the passwords for all affected customer accounts and advised them not to reuse the same passwords across multiple websites and platforms, but it stopped short of requiring two-factor authentication to secure customers' online accounts. Some customers were not pleased with the company's move to pass the blame to customers.

"Why isn't there a two-factor authentication process in place? Allowing the email address and customer details to be altered should've required an email with a link to confirm," wrote a customer on The Iconic's Facebook page. "You didn't protect your customers' private details, yet we're made to feel like it's our fault as our details were in a data leak and our passwords needed to be changed. Wouldn't have happened if you had an extra layer of security."

Recently, DNA testing firm 23andMe blamed customers for "negligently" using the same passwords across multiple websites after a credential stuffing attack compromised genetic ancestry information of close to 7 million people.

The large-scale information theft led to at least 16 proposed U.S. federal class action lawsuits and questions from U.S. senators about the company's data protection practices and how hackers could carry out large-scale downloads of user data based on specific demographics (see: US Senator Quizzes 23andMe Over Credential-Stuffing Hack).


About the Author

Jayant Chakravarti

Jayant Chakravarti

Senior Editor, APAC

Chakravarti covers cybersecurity developments in the Asia-Pacific region. He has been writing about technology since 2014, including for Ziff Davis.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.asia, you agree to our use of cookies.