Dan Murphy's Help Centre My Dan's Membership My Dan’s Membership Account Enquiries & Issues
Back to help centre
About us & our policiesShopping with Dan Murphy'sDelivery, order tracking & pick upReturns & refundsMy Dan's MembershipOnline security and technical assistanceEvents, corporate & store servicesConnect with Dan Murphy'sSubscriptions

CREDENTIAL STUFFING - UPDATED FAQs

1. WHAT HAS HAPPENED

We recently became aware of some suspicious activity in relation to a number of My Dan’s members' accounts. We immediately commenced an investigation to identify the impacted accounts and assess the impact of the suspicious activity. Our investigation concluded that an external threat actor gained access to certain accounts by using email and password combinations obtained from a source unrelated to Dan Murphy’s systems. This is known as credential stuffing. There’s no evidence this was due to a compromise of our system, and is likely due to a data breach of another unrelated third party website where you may be using the same username and password combination. 

 

Based on investigations to date we have no evidence of fraudulent transactions or suspicious changes to the information in the compromised accounts. 

 

2. WHAT INFORMATION WAS ACCESSED

We confirm the external threat actor may have accessed the following personal information appearing in My Dan’s accounts (as applicable): 

  • first and last name;
  • date of birth;
  • email address;
  • mobile number;
  • billing address/ any previously used billing addresses;
  • delivery address/ any previously used delivery addresses;
  • order history; 
  • Last 4 digits of any saved credit card (noting the full card number is hashed and the cvv is not stored); and
  • name and mobile number of any pickup nominee for past orders. 

 

No identity documents such as passport or driver’s licence details have been accessed as these are not stored in a My Dan’s account.

 

3. WHAT HAS DAN MURPHY’S DONE IN RESPONSE TO THE SUSPICIOUS ACTIVITY

As soon as we became aware of the suspicious activity, we promptly acted to contain the breach and take remedial action by activating our incident response processes. Where unauthorised access was identified, we temporarily locked the impacted accounts. To unlock impacted accounts, customers should contact our Customer Service Team via live chat (8am - 9pm Monday to Friday, 9am - 9pm Saturday or 10am - 6pm Sunday) so we can help unlock their accounts and provide appropriate support to ensure their accounts are secured (see further below) 

A formal notification to the Office of the Australian Information Commissioner (OAIC)  will be provided within the required timeframe and impacted customers have been emailed a notification in accordance with our regulatory obligations. 

 

While Dan Murphy’s systems were not breached, we are continuing to investigate ways to further enhance the security of our My Dan’s members’ accounts. 

 

4. WHAT STEPS YOU SHOULD TAKE 

Unfortunately, this type of incident is increasingly common across all industries, both in Australia and globally. We recommend that you remain vigilant and reiterate taking the following steps:

  • change your My Dan’s account password and the passwords for all your third party online accounts, especially any accounts that use the same compromised credentials.
  • Don’t use the same password across any of your accounts. 
  • Ensure your passwords are over 8 characters in length and include a number, an uppercase letter and a special character, and are changed periodically. 
  • Verify all the information contained in your My Dan’s account. If any of your details are incorrect you should change them immediately. 
  • Monitor your bank and credit card accounts for any suspicious activity and inform the relevant organisation/s if you suspect any unusual activity.
  • Read the OAIC’s advice on protecting your identity: https://www.oaic.gov.au/privacy/your-privacy-rights/data-breaches#protecting-yourself-from-identity-fraud
  • Contact IDCARE at www.idcare.org/  for advice in relation to compromised identity information.
  • Visit www.cyber.gov.au/protect-yourself for advice on how to protect yourself online and up-to-date information on the latest online threats and how to respond.
  • Do not click on links or open attachments if you’re not sure that they are genuine.
  • Do not share your personal information over the phone or the internet unless you are certain about who you are sharing the information with.

 

5. HOW TO CHANGE YOUR MY DAN’S PASSWORD

  1. To reset your password on your My Dan’s account, head to the login page at https://www.danmurphys.com.au/ or to your My Dan’s app and click “I forgot my password”.
  2. You will see the ”Reset your password” page. Enter the email address that you used to create your Dan Murphy’s account and click “Reset password”. You will see a confirmation message on your screen.
  3. You will also receive an email with a link to reset your password.In the email, click "Reset password”. You will see the "Reset Password” page.
  4. Enter your new "Password” and “Confirm password” and click “Reset password”.Go back to the Dan Murphy’s login page and log in with your new password.
  5. If you can’t access your account for any reason or are having any issues with or questions about changing your password, please contact My Dan’s Customer Service team. 
  6. More information about how to reset your password can be found at https://www.danmurphys.com.au/help/help-centre/articles/360001664995-How-can-I-reset-or-change-my-password

You should choose a strong password that has not been previously used on another account or site in combination with your email address login. We recommend you choose a password that:

  • is over 8 characters in length and include a number
  • includes an uppercase letter and
  • includes a special character (i.e., % @ !)

You should also periodically update your password to help support your account security.

 

6. CAN I KEEP SHOPPING WITH YOU?

Yes. We recommend you change your My Dan’s password and then feel free to continue to purchase from your My Dan’s account. 

 

7. ARE MY CREDIT CARD DETAILS SECURE?

Your credit card details are securely stored in your My Dan’s account. If you have a stored credit card in your My Dan’s account it will be encrypted, except for the last 4 digits, and you will need to enter the cvv each time you place an order with your My Dan’s account.

 

8. HOW TO CONTACT DAN MURPHY’S

If you have any further questions or concerns you can contact our Privacy team at:

 

Email: privacysupport@edg.com.au

Contact number: 1300 780 674, between 9am - 6pm (AEST) Monday to Friday

Address: Endeavour Group Privacy Team - Level 1, 26 Waterloo Street, Surry Hills, NSW 2010

 

We value the trust of our members and your privacy and account security continue to be  our priority. You can read more about Dan Murphy’s Privacy Policy here

 

Thank you for your ongoing support. 

Updated 28 May 2024

Was this article helpful?

Related Articles

What does ‘you’ve landed $X in benefits’ mean?
Do I earn points or climb tiers with My Dan's rewards program?
Why didn't I get the member price on my purchase?
Managing Your Personal Information
Why can’t I log into my account with my email address or password?
Why is my account blocked, frozen or disabled and what should I do?
How can I reset or change my password?
What is a billing address?

Can’t find what you’re looking for?

Our assistant bot is available 24/7 to help you. If Murphy can’t help you, he can connect you to a human customer care agent via live chat.

Live chat operating hours (AEST):  -