On 16 August 2025 Australia's second-largest internet provider, iiNet, identified a cyber-attack against one of its order-management systems. The hack was confirmed on Saturday, 16 August, but parent company TPG Telecom did not inform customers and shareholders until the following Tuesday. iiNet's order-management system is used to create and track services like NBN connections and contains only limited personal information. According to TPG and iiNet's forensic investigation, an unknown third party gained access after stealing account credentials from an employee, enabling unauthorised entry into the system.
What information was stolen?
The compromised system stored contact information used to set up or monitor orders. It did not contain copies of passports, driver's licences or banking details. Investigators believe the attackers extracted a list of about 280,000 active iiNet email addresses and roughly 20,000 active landline phone numbers. Approximately 10,000 usernames, street addresses and phone numbers were also taken and around 1,700 modem set-up passwords were accessed. Inactive email addresses and phone numbers were included in the stolen dataset.
Although sensitive financial or identity-verification data was not held in the system, the stolen contact details could still be used for targeted phishing or scam campaigns. For customers who used the same password for multiple services, the exposure of modem set-up passwords also increases the risk of unauthorised access to home networks if those passwords were reused elsewhere.
How did the breach occur?
Early investigations suggest that the attackers obtained stolen credentials from an iiNet employee. Using those credentials, they accessed the order-management system and extracted customer lists. TPG said that once the breach was confirmed on 16 August, it removed the unauthorised access and engaged external IT and cyber-security experts to determine the full scope of the incident. The company has apologised and is working with the Australian Cyber Security Centre (ACSC), the National Office of Cyber Security (NOCS) and the Office of the Australian Information Commissioner (OAIC).
Timeline of events
| Date | Event | Source |
|---|---|---|
| 16 Aug 2025 | iiNet detects unusual activity and confirms a cyber-incident. The company removes the unauthorised access and engages external cyber-security experts. | iiNet / Reuters |
| 19 Aug 2025 | TPG files a notice with the Australian Securities Exchange and publicly confirms that the hack involved about 280,000 email addresses, 20,000 phone numbers, 10,000 usernames/street addresses/phone numbers and 1,700 modem passwords. The information was extracted using stolen employee credentials. | ABC News / Reuters |
| 20 Aug 2025 | iiNet publishes an FAQ for customers detailing the nature of the breach, emphasising that identity documents and financial details were not accessed, and providing advice on how to protect themselves. | iiNet |
What is iiNet doing?
TPG and iiNet say that they removed the unauthorised access soon after discovering the incident and engaged external cyber-security professionals. They have also secured an interim court injunction prohibiting anyone from using or publishing the stolen data. iiNet has established a dedicated hotline (1300 861 036) for customers and is contacting affected and non-affected customers directly. The company is working closely with government cyber-security agencies and regulatory bodies to assess the breach and prevent similar incidents.
Steps you can take
Although only contact information was stolen, criminals may use it to send convincing phishing emails, texts or scam calls. Customers should:
- Be vigilant to suspicious communications – treat unexpected emails, texts or calls with caution and verify their authenticity before responding.
- Reset passwords – change the passwords for your iiNet account and any other service that uses the same password. Consider updating modem set-up passwords if you have not already done so.
- Use strong, unique passwords and enable multi-factor authentication wherever possible.
- Install up-to-date security software on devices and keep software patches current.
- Report suspicious activity to iiNet's dedicated hotline or the Australian Cyber Security Centre.
Consumer advocates such as the Australian Communications Consumer Action Network (ACCAN) stress that this incident highlights the need for businesses to strengthen data-protection practices and for customers to be alert to scams.
How Blue Moon IT can help
Large-scale data breaches underscore how vulnerable personal and business networks can be. Even though the iiNet incident did not include banking or identity documents, the exposure of contact details and modem passwords can be enough for criminals to launch phishing attacks or attempt to break into home networks. If you are concerned about your personal or business security, Blue Moon IT offers comprehensive network security services:
- Network assessment and hardening: We audit your home or office network to identify weak points and implement industry-best security controls.
- Password and authentication management: Our team can help you implement strong password policies, set up multi-factor authentication and securely manage credentials.
- Ongoing monitoring and support: We provide proactive monitoring and support to detect and respond to threats before they cause harm.
- Cyber-security training: Education is one of the best defences. We offer training to help you and your staff recognise phishing attempts and adopt safer online practices.
If you are concerned about your personal security, Blue Moon IT can help secure your home or business network. Contact us today to find out how our expert team can tailor a security solution to your needs.
By staying vigilant and partnering with trusted cyber-security professionals, you can reduce the risks posed by data breaches and keep your personal information safe.
Key Takeaways:
- iiNet cyber-attack affected approximately 280,000 email addresses and 20,000 phone numbers.
- Attack occurred through stolen employee credentials, not a direct system hack.
- No financial or identity documents were accessed, but contact details can be used for phishing.
- Customers should change passwords, enable MFA, and remain vigilant for suspicious communications.
- iiNet has established a dedicated hotline (1300 861 036) for affected customers.