Retirement fund officials are frantically trying to understand how a massive cyber breach has occurred after thousands of superannuation accounts were targeted by hackers.
Experts have called for wider implementation of more complex security measures as individuals are warned to ensure their accounts are not easily accessed.
Thousands of superannuation accounts across multiple funds were targeted in March in a coordinated attack confirmed on Friday.
Superannuation funds manage more than $4.1 trillion in assets on behalf of around 17 million Australians according to the Association of Superannuation Funds of Australia.
With that much on offer it was only a matter of time before the funds were targeted, cybersecurity expert Paul Haskell-Dowland said.
"An attack on Australian superannuation was always inevitable, some would say overdue," the Edith Cowan University professor said.
It will prompt funds to review their security protocols.
"This is a clear warning shot that cybersecurity needs to be taken more seriously," he said.
Prof Haskell-Dowland is one of many cybersecurity experts to call for mandatory implementation of multi-factor authentication.
RMIT cyber security centre director Matthew Warren said funds could allow customers to opt out of authenticating their logins if it was unduly onerous, but that needed to change.
"Stronger multi-factor authentication should be implemented for every customer, with no exception," he said.
Super funds have been contacting members whose accounts have been targeted by hackers.
Hostplus, Rest, AustralianSuper and Australian Retirement Trust were among the funds hit in the attack.
The nation's biggest fund, AustralianSuper, said hackers allegedly sought lump sum withdrawals from up to 600 accounts.
Its more than 3.4 million members subsequently struggled to log in amid high call-centre traffic and intermittent outages to online services, as the fund assured customers who saw $0 in their balance it was a temporary glitch.
But multiple media outlets reported four customers had lost $500,000 between them as a result of the attack.
Other funds reported no losses, while some were still assessing the damage.
Funds urged members to check for signs of fraud, ensure banking and contact details are correct, and change passwords if they are not unique to their account.
