The Iconic denies responsibility for data breach, promises to refund customers

Earlier this week, news.com.au revealed customers at Australia’s largest online retailer had reported a large number of hacking attempts and security breaches, with bad actors successfully compromising several accounts and placing orders without permission.

Customers reported huge amounts of fraudulent spending, sometimes amounting to thousands of dollars, while others said strangers had turned up at their houses to retrieve the stolen goods.

On Wednesday, The Iconic released a statement apologising for the breaches but said they weren’t the website’s fault.

“To our valued customers, we know you’re frustrated. You have every right to be,” the statement began.

The retailer went on to explain it was “aware” there had been fraudulent access to “a number of” its customers’ accounts but said they were “not as a result of a breach of any of The Iconic’s internal systems”

“These unauthorised third party login attempts used a technique known as ‘credential stuffing’ where the unauthorised third party used login credentials sourced through data breaches that are unrelated to The Iconic,” the retailer explained.

In a credential stuffing attack, hackers first steal personal information from compromised websites, phishing or dark web databases. Knowing customers often use the same login details for multiple websites, the hackers then try them on platforms that may not have been the source of the initial attack.

The Iconic said affected customers cannot have their payment details stolen because it stores this information with a third party. Thus, money can only be accessed via purchases made fraudulently at The Iconic.

“Please know that this is an ongoing investigation and we will continue to provide updates to any impacted customers to ensure they are kept informed,” the statement added.

The Iconic said it was working “as fast as possible” to intercept fraudulent orders and issue refunds, while cybersecurity experts moved to address the incident.

The company said it was working with customers who had already been in touch but will begin contacting others proactively.

“We are working with affected customers who notify us of unusual activity,” the statement said.

“We intend to directly contact customers whose accounts may be impacted as we continue to investigate the incident. We will provide specific recommendations to these customers and provide appropriate support.

“We have emailed all of our customers encouraging them to change their passwords and be vigilant.”

Refunds promised to affected customers

Previously, The Iconic pledged to refund customers who were affected by the breach, some of whom reported being left out of pocket by thousands of dollars.

Customers reported huge amounts of fraudulent spending, including one who said their account had been tapped to buy $524 worth of Instax camera film and another who said more than $1000 in purchases were made.

One woman said she had been attempting to contact the retailer for nearly a week but heard nothing in response.

“My account was hacked over $3000 spent and people just showed up to my house demanding the packages that were delivered here,” another woman said, adding she had called the police.

“My family’s safety is compromised!!!!!”