This is a work in progress. While we strive for accuracy, some breach details may be incomplete or pending verification.

The Iconic

Summary

The Iconic, a popular Australian and New Zealand online fashion retailer with over 2.1 million active customers, experienced an increase in credential stuffing attacks in January 2024. Attackers used stolen login credentials from previous data breaches at other companies to access customer accounts and make fraudulent purchases worth over $1,000 in some cases.

What Happened

In early January 2024, criminals used credentials stolen from previous breaches at other organizations (such as Optus and Medibank) to attempt logging into The Iconic customer accounts. When credentials matched (because customers reused passwords across multiple services), attackers gained access to accounts and placed fraudulent orders.

This was not a data breach of The Iconic's systems—the company's infrastructure was not compromised. Instead, attackers exploited customers' poor password hygiene (reusing passwords across multiple websites) combined with data previously stolen from other Australian breaches.

Some customers reported that fraudulent purchases had occurred as far back as November 2023, suggesting the credential stuffing campaign may have been ongoing for several months before widespread detection.

Impact on Individuals

The incident affected an unknown number of The Iconic's 2.1 million customers. Impacts included:

  • Unauthorized purchases charged to saved payment methods
  • Fraudulent orders for high-value items (some over $1,000)
  • Delivery of purchased items to attackers' addresses
  • Compromised account access

Angry customers inundated The Iconic's Facebook page with complaints about fraudulent purchases and frustration at delayed company responses.

The attack was enabled by previous major Australian data breaches (Optus, Medibank, Latitude) where customer email addresses and passwords were exposed, demonstrating the long-term cascading effects of major data breaches.

Organisational Response

The Iconic stated that its teams were proactively intercepting unauthorized access attempts and canceling fraudulent orders. The company promised full refunds for customers affected by successful fraudulent orders, even though The Iconic was not directly responsible for the credential compromise.

The company encouraged customers to:

  • Use unique passwords for each online service
  • Enable multi-factor authentication where available
  • Monitor accounts for suspicious activity

Broader Context

The Iconic was one of several Australian retailers targeted in coordinated credential stuffing campaigns in early 2024, including Guzman y Gomez, Dan Murphy's, and other major brands. The attacks highlighted how previous large-scale Australian data breaches continue to create security risks years after the initial incidents, as stolen credentials are reused across the internet.

[extra.impact] affected_individuals = 0 individuals_note = "" data_volume_gb = 0 record_count = 0 financial_cost_total = 0 ransom_demanded = 0 ransom_paid = 0 estimated_remediation = 0 downtime_hours = 0 downtime_note = "" +++

Verification Source: View original statement