The Iconic promises to refund customers after scammers broke into their accounts using a simple password hack
One of Australia's largest online retailers, The Iconic, has promised to issue refunds after cyber scammers hacked their accounts.
Numerous customers have reported losing thousands of dollars due to fraudulent orders on The Iconic's online store since November, with some saying they only became affected on Monday.
The company, which has more than 2.1 million customers, strongly denied in a statement released Tuesday that the hack was due to its servers being compromised, according to parent company Global Fashion Group.
The breach was the result of 'credential stuffing', where cybercriminals use stolen logins and passwords – often offered for sale on the dark web – to carry out online scams.
Mother-of-one Natalie told A Current Affair she was charged $620 at 1.30am on Sunday while she was asleep.
After reading the notifications from her bank, she tried to log into her account, but discovered that she had been locked out because the hackers had changed her details without requiring verification.
“They were able to do that because there is no multi-factor authentication on my Iconic account, so they were able to make changes to my account without my permission,” she said.
Numerous customers have reported losing thousands of dollars due to fraudulent orders on The Iconic's online store since November, while others said they were only affected on Monday.
“Get started and improve your customer service, and also look at increasing your security on people's behalf.”
Large numbers of angry customers also complained on the fashion retailer's Facebook page and warned others of the danger.
“My THE ICONIC account has been hacked and over $1,000 is missing from my bank account,” one person said.
'Of course I can only talk to the bot which cannot immediately close my account. No one at The Iconic responds to me. This is a serious safety problem. Everyone delete your account information!!!!!!'
Another wrote: 'THE ICONIC, why didn't you inform your customers and the regulators that you were hacked/data breached?'
“You have numerous product review complaints about customer accounts being hacked and their credit card information stolen and used. Reviews indicate it has been going on for a few weeks, but OAIC has not yet been notified.
'The fact that you do not have an active telephone number that customers can call is unacceptable. You can't expect customers who have had their money stolen to just do a web chat.'
The company later sent an email to its customers urging them to change their account passwords and advising those affected to contact them for assistance.
“We have recently seen an increase in fraudulent login attempts for accounts on The Iconic, which our security and fraud teams continue to actively manage, working with our security partners,” the company said in a statement on Tuesday.
The breach was the result of 'credential stuffing' where cybercriminals use stolen logins and passwords – often offered for sale on the dark web – to carry out online scams
'The Iconic website itself has not been hacked.
“We are working with all customers to address these incidents, which are not the result of a data breach at The Iconic.
“The security of our customer data is of the utmost importance to us and we continue to work with our third-party security partners to protect against any fraudulent activity.”
Daily Mail Australia has asked The Iconic for further comment.