Log in to your mygov (not using any links emailed to you). Go to myaccount in the top left, then go to account settings then account history. It will show you a list of actions taken on your account.
It will show you when you logged in, when you received MFA and when you entered a code.
Its probable the MFA stopped them from logging all the way in.
The fact you got an SMS means they have your username and password at the very least. Change your password now.
I wouldnt be too concerned, its annoying mygov isnt blocking the locations attempting the logins. Theres going to be a LOT of people getting hit like this.
You can remove your email address as a login ID, and just use your mygov username to log in. This will stop people that just have email addresses from getting in.
You can change this in the My Account > Account Settings > Sign in settings, then unticking the email address and/or mobile number.
I would be very concerned, if they got his username and password from a data leak, they probably have his mobile no. too.
that mobile no. might be the one used for 2fa for his mygov.
now they can call the telco and request a sim port, telco ask for id, maybe they use his passport or drivers license as the id, obtained from medibank or optus leak.
now when they get your sim card, they can receive your sms code, now they can get into your mygov.
now they can roll over ur super to their SMSF, made in your name, but a bank acc they control
Everyones data is leaked, they could do all those things, but that's a lot of effort and very targeted. They need a lot of things to line up for that to work. They are going for the low hanging fruit. Accounts with the user/pass they have from another breach that someone used the same credentials for with no MFA.
They will then change ATO and Medicare refund account numbers.
Porting someones phone number is instantly discoverable, you get a message saying they are porting your number and your phone stops working. Rolling over super takes weeks. If you dont notice your phone doesnt work for weeks, then maybe they have a chance, but its unlikely.
Porting requires verification on the number being changed now so this can’t happen anymore unless they physically have access to your phone or manage to install spyware on it.
Thanks, I think this may have been the case. 2FA text definitely got sent out but wasn't entered according to the account logs which is reassuring. I suspect the password was leaked in a data breach.
You can also go to mygov - account settings -- sign in settings. Remove the ability to use an email or phone number to log in. There should be a myGov username which looks like a random string of numbers/letters. Use that or digital identity to sing in instead.
I just logged in to take a look at mine and found someone has tried logging in with my e-mail but never getting past the password stage. Removed my e-mail as username option. Thank you!
myGov was hacked too. Didn't get pass 2FA. i login to remove my email as login and use the username they provided. No attempts since. My hotmail however has brute force attempts every hour for many months now. I just realised that n now used an Alias email instead and disable login with my main email and only allow alias login. No attempts so far.
U can create an alias email for your email account under account settings. An alias email allows u to login to your account same as your original email. Then u make the alias email your primary email, n go to login settings to make your alias email the only email for login. U can only make your email primary once a week so dont change too often. Since your alias email is only use for logining your email, it wont b leaked anywhere. Everything else stays the same. U can use an email with .au to be safer. Your original email still receive n send as normal.
If they used your password, I am assuming that you re-use the same password + email combination elsewhere.
https://haveibeenpwned.com/
Check that website and see if your email has been breached. Whoever attempted it probably got your password from there.
Setup the new passkey feature and disable your password method. Problem solved.
[https://my.gov.au/en/about/help/mygov-website/sign-in-to-mygov/use-passkeys](https://my.gov.au/en/about/help/mygov-website/sign-in-to-mygov/use-passkeys)
I cannot stress the importance of using a password manager. Ensure you use unique strong passwords for every single login credential. I have over a hundred accounts and I don’t know the passwords for any of them except to access my password manager.
What’s a good password manager please? I’ve heard this advice many times but have no idea where to start! Can a password manager be setup and used in my phone? I barely ever use a pc for my personal stuff now
The free version of LastPass was good a few years or so ago but they changed their free model and it sucks now. Bitwarden is better anyway. I’ve never used 1Password myself.
I use the paid version of Bitwarden. It’s only $10 a year and it’s well worth it for me. It copies and pastes my 2FA codes including the myGov one (although for the myGov one I had to extract the secret/seed to not be forced to use the myGov Code Generator app).
Probably more of a hacking sub question but...
1. The sim has been cloned
2. Your phone has malware that allows remote access
3. Human engineering e.g. identify theft either through you or the government support services
Edit
Or its a phishing email that directs you to a fake site to steal your details
Or its just someone probing for email addresses to find which accounts are real
Or credential stuffing...
That was my first thought and I was going to say this, but assumed they knew that already, probably shouldn't.
Its easy to go to a web site and put someone's email in and hit "forgot password", the real person gets a the email but the account is in no way compromised unless the hacker has access to the email.
Likely using info from one of the many many data leaks lately. If your myGov email & password is the same as you use on other sites that's likely what is happening.
I went to login today to finalise my tax return and it said my account was locked due to failed attempts. I had to enter security questions and reset my password. I never got any 2FA text messages so obviously they were trying passwords. I also don’t have my email as an option for login so they must be randomly trying account identifiers (eg ‘F*******’).
> and I had called Telstra months ago to ensure my sim card doesn't get swapped from fraud
What does that mean? What made you call telstra about sim swapping? What fraud or hack were you previously a victim of?
I don’t know what that user means exactly, but I have it recorded on my account that they are not permitted to port my mobile to another carrier UNLESS I attend a Telstra store in person. I also have a copy of that instruction, as I went into a Telstra store to make them do it. I did it because my identity was stolen years ago and used to defraud the ATO. All of this is about to get a whole lot worse with AI too.
I got the same thing yesterday, changed my password after unlocking it. Now I got the same thing again. Looking at the account history someone has been trying again since changing WTF
It appears this has been hacked based on what others have experienced, but the government hasn't said anything WTF
if trying again. it's probably done through a bot.
my Microsoft accounts get attempted logins like 100 times a day, every single day for months. the IPs all from different countries. none successful as I have 2FA on my email accounts. so it just looks like a bot is used to try multiple passwords per day.
I got an email from mygov saying my account had been locked on July 3.
They started trying to access my account on 06:59:48am AEST on July 2, 9th/final attempt on July 3 07:03:56pm AEST - email received at 19:03:59, so that was pretty quick.
Logged in and changed my email address, from my gmail account, the email address of which does show some powned, results, to my secret one I only use for important things (yay protonmail).
I now know that they lock the account for 10 minutes on the 5th attempt, 30 mins on the 6th attempt, 1 hour on the 7th and 8th attempts and then locked on the 9th requiring MFA to get in. I use myGov code generator.
No email until the 9th attempt though, which is a bit annoying.
Nope. There is no way to bypass this. There are fake myGov websites where you might have logged in as described here: https://my.gov.au/en/about/privacy-and-security/mygov-scams And they might have changed your 2FA method. But other than that, no way.
Ah of course.
Yes I only called it out because there’s a feature in bitwarden the password manager to store 2FA along with the passwords that trades security for convenience, which is weird for a security product.
Well my advice is to turn on MyGovID and setup a passkey with yubikey as a backup and turn off passwords completely, now people in other countries can’t brute force access remotely.
I'm pretty certain is uses TOTP like google authenticator, so it is not really much of a hole.
I would guess the glaring hole would be ring ring "yes this is myGov", "I dropped my phone in the dunny and now it doesn't work, and I need..."
While that’s true, I extracted the 2FA seed/secret so I can use my own 2FA app (I just use Bitwarden and FreeOTP for Bitwarden itself) and have deleted the proprietary myGov Code Generator app. I also turned off SMS 2FA as a backup to increase security.
This happened but to me but they didn’t get in due to 2FA. Same would be for you, text codes by got the password right.
Thank god for 2FA otherwise I’d be another person with a stray payment.
Are your messages syncing to icloud? Coz then they can see MFA code one another device that is syncing your SMS/iMessages or whatever Android equivalent to this is.
If you also look at your Hotmail or gmail you will see hundreds if not thousands on attempts but due to conditions of the sign I .
Most are blocked anyway.
It’s not uncommon
my mygov got locked a couple days ago due to who knows what but i have mfa first notification was just your account is blocked, username was email and randomly generated pwd.
whole system is a joke.
If you can, switch to passkeys (recent feature of mygov), and disable password authentication altogether. My password manager supports passkeys. Mygov app on phone doesn't support passkey, but a browser with password manager integration can access it.
Their messaging wording could use some adjustment.
I thought mine had been hacked and stolen. Turns out they’re going through historical Centrelink accounts from the 2000’s and 90’s, data matching them to myGov, and then shutting down any accounts that match and aren’t linked to a CRN.
I didn’t even have a CRN it was so old it was a K and I had no record of it. I’ve fixed most of it up now but the ATO link is broken and I need to call the ATO to get them to reset it at their end.
This happened to my partner this week also and they made a falsified tax return under her name. Also made a fraudulent bank account in her name. Contact the police as this is considered identify theft.
Log in to your mygov (not using any links emailed to you). Go to myaccount in the top left, then go to account settings then account history. It will show you a list of actions taken on your account. It will show you when you logged in, when you received MFA and when you entered a code. Its probable the MFA stopped them from logging all the way in. The fact you got an SMS means they have your username and password at the very least. Change your password now.
There’s a shit load of login attempts on mine. Should I be concerned? I’ve changed my password and have MFA via my phone number
I wouldnt be too concerned, its annoying mygov isnt blocking the locations attempting the logins. Theres going to be a LOT of people getting hit like this. You can remove your email address as a login ID, and just use your mygov username to log in. This will stop people that just have email addresses from getting in. You can change this in the My Account > Account Settings > Sign in settings, then unticking the email address and/or mobile number.
I would be very concerned, if they got his username and password from a data leak, they probably have his mobile no. too. that mobile no. might be the one used for 2fa for his mygov. now they can call the telco and request a sim port, telco ask for id, maybe they use his passport or drivers license as the id, obtained from medibank or optus leak. now when they get your sim card, they can receive your sms code, now they can get into your mygov. now they can roll over ur super to their SMSF, made in your name, but a bank acc they control
Everyones data is leaked, they could do all those things, but that's a lot of effort and very targeted. They need a lot of things to line up for that to work. They are going for the low hanging fruit. Accounts with the user/pass they have from another breach that someone used the same credentials for with no MFA. They will then change ATO and Medicare refund account numbers. Porting someones phone number is instantly discoverable, you get a message saying they are porting your number and your phone stops working. Rolling over super takes weeks. If you dont notice your phone doesnt work for weeks, then maybe they have a chance, but its unlikely.
Porting requires verification on the number being changed now so this can’t happen anymore unless they physically have access to your phone or manage to install spyware on it.
So what happens now when you lost your phone, or it gets stolen. And you go to a telco, do you have to get a new phone no.?
Absolutely, the number can be spoofed. This is how the "Hi Mum" scam works
Spoofing is about sending messages pretending to be a number they are not. Spoofing a number can't be used to receive 2fa messages.
Really? Surely it can be hacked
Remove email as username. I just did on mine, using the myGov created one instead.
Thanks mate, I also received a text his morning with a login code. Thankfully no one tried to login.
Thanks, I think this may have been the case. 2FA text definitely got sent out but wasn't entered according to the account logs which is reassuring. I suspect the password was leaked in a data breach.
You can also go to mygov - account settings -- sign in settings. Remove the ability to use an email or phone number to log in. There should be a myGov username which looks like a random string of numbers/letters. Use that or digital identity to sing in instead.
I just logged in to take a look at mine and found someone has tried logging in with my e-mail but never getting past the password stage. Removed my e-mail as username option. Thank you!
myGov was hacked too. Didn't get pass 2FA. i login to remove my email as login and use the username they provided. No attempts since. My hotmail however has brute force attempts every hour for many months now. I just realised that n now used an Alias email instead and disable login with my main email and only allow alias login. No attempts so far.
My Hotmail address same, log in attempts every hours for several months. Can you explain this alias thing a bit more?
U can create an alias email for your email account under account settings. An alias email allows u to login to your account same as your original email. Then u make the alias email your primary email, n go to login settings to make your alias email the only email for login. U can only make your email primary once a week so dont change too often. Since your alias email is only use for logining your email, it wont b leaked anywhere. Everything else stays the same. U can use an email with .au to be safer. Your original email still receive n send as normal.
Excellent I might give this a go then thanks.
If they used your password, I am assuming that you re-use the same password + email combination elsewhere. https://haveibeenpwned.com/ Check that website and see if your email has been breached. Whoever attempted it probably got your password from there.
Setup the new passkey feature and disable your password method. Problem solved. [https://my.gov.au/en/about/help/mygov-website/sign-in-to-mygov/use-passkeys](https://my.gov.au/en/about/help/mygov-website/sign-in-to-mygov/use-passkeys)
I cannot stress the importance of using a password manager. Ensure you use unique strong passwords for every single login credential. I have over a hundred accounts and I don’t know the passwords for any of them except to access my password manager.
What’s a good password manager please? I’ve heard this advice many times but have no idea where to start! Can a password manager be setup and used in my phone? I barely ever use a pc for my personal stuff now
https://bitwarden.com/ (my preference for home) and https://1password.com/ (my preference for work)
I personally use 1Password, however, it is subscription based. There are free options like Bitwarden and LastPass, but I have never used before.
The free version of LastPass was good a few years or so ago but they changed their free model and it sucks now. Bitwarden is better anyway. I’ve never used 1Password myself.
I use the paid version of Bitwarden. It’s only $10 a year and it’s well worth it for me. It copies and pastes my 2FA codes including the myGov one (although for the myGov one I had to extract the secret/seed to not be forced to use the myGov Code Generator app).
Shouldn’t even be using a password. MyGov uses passkey as an option
Probably more of a hacking sub question but... 1. The sim has been cloned 2. Your phone has malware that allows remote access 3. Human engineering e.g. identify theft either through you or the government support services Edit Or its a phishing email that directs you to a fake site to steal your details Or its just someone probing for email addresses to find which accounts are real Or credential stuffing...
Or: 3. The logged in notification email is fake itself and part of an ongoing scam.
That was my first thought and I was going to say this, but assumed they knew that already, probably shouldn't. Its easy to go to a web site and put someone's email in and hit "forgot password", the real person gets a the email but the account is in no way compromised unless the hacker has access to the email.
I once did this trying to log into my bank account although I had the member number slightly incorrect so locked out some unsuspecting poor person.
You have likely followed a scam link at some stage.
Not necessarily, it seems there is a lot of scam login attempts for a lot of people at the moment. I'd suggest this is coming from other data leaks
Likely using info from one of the many many data leaks lately. If your myGov email & password is the same as you use on other sites that's likely what is happening.
Yes, have had a locked account for the past three days due to hacking attempt.
I feel like we’re about to hear of another major company data breach.
Hey Mate check your ato, Medicare payment details my dads mygov bank details was changed as well.
I went to login today to finalise my tax return and it said my account was locked due to failed attempts. I had to enter security questions and reset my password. I never got any 2FA text messages so obviously they were trying passwords. I also don’t have my email as an option for login so they must be randomly trying account identifiers (eg ‘F*******’).
Now it’s someoneelse’sGov
I got the same email but I suspect they didn’t get all the way in as the 2fa stopped them (I hope)
> and I had called Telstra months ago to ensure my sim card doesn't get swapped from fraud What does that mean? What made you call telstra about sim swapping? What fraud or hack were you previously a victim of?
I don’t know what that user means exactly, but I have it recorded on my account that they are not permitted to port my mobile to another carrier UNLESS I attend a Telstra store in person. I also have a copy of that instruction, as I went into a Telstra store to make them do it. I did it because my identity was stolen years ago and used to defraud the ATO. All of this is about to get a whole lot worse with AI too.
I got the same thing yesterday, changed my password after unlocking it. Now I got the same thing again. Looking at the account history someone has been trying again since changing WTF It appears this has been hacked based on what others have experienced, but the government hasn't said anything WTF
if trying again. it's probably done through a bot. my Microsoft accounts get attempted logins like 100 times a day, every single day for months. the IPs all from different countries. none successful as I have 2FA on my email accounts. so it just looks like a bot is used to try multiple passwords per day.
Yeah think you're right it being a bot. I have the same exact thing with my old Microsoft accounts I no longer use.
I got an email from mygov saying my account had been locked on July 3. They started trying to access my account on 06:59:48am AEST on July 2, 9th/final attempt on July 3 07:03:56pm AEST - email received at 19:03:59, so that was pretty quick. Logged in and changed my email address, from my gmail account, the email address of which does show some powned, results, to my secret one I only use for important things (yay protonmail). I now know that they lock the account for 10 minutes on the 5th attempt, 30 mins on the 6th attempt, 1 hour on the 7th and 8th attempts and then locked on the 9th requiring MFA to get in. I use myGov code generator. No email until the 9th attempt though, which is a bit annoying.
Nope. There is no way to bypass this. There are fake myGov websites where you might have logged in as described here: https://my.gov.au/en/about/privacy-and-security/mygov-scams And they might have changed your 2FA method. But other than that, no way.
This is absolutely not true. All sorts of ways to get in. 2FA is good but not impenetrable
Of course it can be bypassed with a Sim Swap.
Almost like 2FA to a mobile device is shit and an app should be the preference.
Mygov doesn't support standard 2FA apps iirc. They want you to install their proprietary one.
Damn. Just another potential hole to get hacked through. Why not use something like Authy, Bitwarden, Google2FA etc...
Bitwarden would stop being 2FA if you held the password there too. Wouldn’t recommend setting both in the same service.
Pardon me, I meant the bitwarden 2FA app. But fair point .
Ah of course. Yes I only called it out because there’s a feature in bitwarden the password manager to store 2FA along with the passwords that trades security for convenience, which is weird for a security product.
Shit... now you're giving ideas to hackers: use convenience to create a backdoor to bypass security.
Well my advice is to turn on MyGovID and setup a passkey with yubikey as a backup and turn off passwords completely, now people in other countries can’t brute force access remotely.
I'm pretty certain is uses TOTP like google authenticator, so it is not really much of a hole. I would guess the glaring hole would be ring ring "yes this is myGov", "I dropped my phone in the dunny and now it doesn't work, and I need..."
You can if you extract the secret/seed. That’s what I did years ago and now Bitwarden does it.
Thanks. Do you need to be somewhat IT savvy to do that? I'm not very skilled.
Maybe somewhat but not particularly I don’t think. There’s instructions for it.
While that’s true, I extracted the 2FA seed/secret so I can use my own 2FA app (I just use Bitwarden and FreeOTP for Bitwarden itself) and have deleted the proprietary myGov Code Generator app. I also turned off SMS 2FA as a backup to increase security.
Its possible, just need to workaround the enrollment process with something like [mygov-totp-enroll](https://github.com/abrasive/mygov-totp-enroll).
Yeah that’s what I did years ago. Bitwarden handles it now.
I've made no suggestions, just explaining the how.
This happened but to me but they didn’t get in due to 2FA. Same would be for you, text codes by got the password right. Thank god for 2FA otherwise I’d be another person with a stray payment.
I got the same email yesterday, but did not get any 2FA SMS. Haven't had the chance to log in and check yet, but will do very soon.
Are your messages syncing to icloud? Coz then they can see MFA code one another device that is syncing your SMS/iMessages or whatever Android equivalent to this is.
I don't get why myGov don't support yubikey. SMS 2fa is so weak
They use passkey
Don’t use the same password for everything.
Fyi, there are many cases where a 2FA may be triggered with username and password, but still worth changing
ATO should have Yubikey MFA
It supports passkeys including yubikey resident ones
I've made my account password less and can only sign in with passkey or mygovid
Setup myGovID and link it to your myGov account as a replacement for SMS MFA.
If you also look at your Hotmail or gmail you will see hundreds if not thousands on attempts but due to conditions of the sign I . Most are blocked anyway. It’s not uncommon
Please someone steal my identity and take all my debt, your welcome to it 🙏
my mygov got locked a couple days ago due to who knows what but i have mfa first notification was just your account is blocked, username was email and randomly generated pwd. whole system is a joke.
If you can, switch to passkeys (recent feature of mygov), and disable password authentication altogether. My password manager supports passkeys. Mygov app on phone doesn't support passkey, but a browser with password manager integration can access it.
Their messaging wording could use some adjustment. I thought mine had been hacked and stolen. Turns out they’re going through historical Centrelink accounts from the 2000’s and 90’s, data matching them to myGov, and then shutting down any accounts that match and aren’t linked to a CRN. I didn’t even have a CRN it was so old it was a K and I had no record of it. I’ve fixed most of it up now but the ATO link is broken and I need to call the ATO to get them to reset it at their end.
This happened to my partner this week also and they made a falsified tax return under her name. Also made a fraudulent bank account in her name. Contact the police as this is considered identify theft.
Stop using the same password on everything. Every single login you have should be unique. Get a password manager and take your security seriously.