Dodo & iPrimus Hack: What You Need to Know

5 min read

In a concerning development for Australian internet users, Vocus Group has confirmed a security breach affecting more than 1,600 Dodo and iPrimus customers. The incident, which involved unauthorised access to customer email accounts and mobile services, is the latest in a series of cyberattacks targeting Australia’s major telecommunications companies.

This article breaks down what happened, who was affected, and what steps you can take to protect your personal information. We understand that news like this can be stressful, which is why we’ve compiled all the essential details to help you stay informed and secure.

What Happened in the Dodo and iPrimus Breach?

Vocus, the parent company of Dodo and iPrimus, announced it first detected "suspicious activity" within its email systems on a Friday. To contain the threat, the company took immediate action by temporarily suspending email services for Dodo and iPrimus customers and restricting them for Commander customers. (itnews)

According to a statement from a Vocus spokesperson, an initial investigation revealed that approximately 1,600 email accounts had been compromised. This led to a more serious issue for a smaller group of customers: unauthorised SIM swaps were performed on 34 Dodo Mobile accounts.

A SIM swap, or SIM jacking, is a type of account takeover fraud. Scammers gain control of a victim's phone number by convincing the mobile provider to transfer it to a SIM card in their possession. Once they control the number, they can intercept calls and text messages, including two-factor authentication codes, giving them access to sensitive accounts like banking and email.

Vocus confirmed it worked with the 34 impacted mobile customers to reverse the unauthorised SIM swaps and continues to monitor the situation closely. By Sunday morning, Dodo announced that email access had been restored for all affected users. However, as a precaution, customers were required to contact the telco to set a new password for their accounts.

Are You at Risk? Check Your Service Now

This recent incident highlights a concerning trend of security vulnerabilities across Australia's telecommunications sector. If you are a customer of Dodo, iPrimus, or even other providers, it is a crucial time to review your account security.

How to Check Your Dodo or iPrimus Account

If you are a Dodo or iPrimus customer and have not already done so, it is vital to secure your account immediately.

Reset Your Password: Even if you weren't directly notified, change the password for your Dodo or iPrimus email account as a precaution.
Enable Multi-Factor Authentication (MFA): Where possible, enable MFA on your email and other sensitive accounts. This adds an extra layer of security beyond just a password.
Monitor Your Accounts: Keep a close eye on your bank statements, email account, and phone service for any unusual activity. Report anything suspicious to your provider immediately.

A Pattern of Telco Security Failures

The Dodo and iPrimus hack forms part of a series of cyber incidents that have raised concerns about data security across Australia’s telecommunications sector.

The Optus Outage and Data Hack:

In September 2023, Optus experienced a major network outage that disrupted mobile and internet services nationwide, with reports of hundreds of failed Triple-0 emergency calls. The Australian Communications and Media Authority (ACMA) later launched an investigation into whether Optus had complied with its obligations under emergency-call regulations (ACMA, 2023).
This incident followed Optus’s 2022 data breach, which occurred between 17 and 20 September 2022. According to the Australian Communications and Media Authority (ACMA), Optus “failed to protect the confidentiality of its customers’ personal information from unauthorised interference or unauthorised access.” The regulator has since commenced Federal Court proceedings alleging that the breach could have been prevented (ACMA, 2024).
Optus confirmed the cyber incident in an official statement, noting that it involved unauthorised access to customer information and that affected individuals were being contacted directly (Optus Media Statement, 2022).

The iiNet Data Breach:

In August 2025, iiNet, a subsidiary of TPG Telecom, confirmed that an unauthorised third party had accessed its order-management system. According to the company’s official statement, the breach exposed approximately 280,000 active email addresses, 20,000 active landline phone numbers, and smaller amounts of other personal information such as street addresses and modem setup passwords. iiNet stated that no banking details, identity documents, or credit-card information were compromised. The incident was reported to the Australian Cyber Security Centre (ACSC), the Office of the Australian Information Commissioner (OAIC), and other relevant authorities (iiNet Media Statement, 2025).

These incidents underscore the importance of strong cybersecurity practices and open communication within Australia’s telecommunications sector. Vocus Group, the parent company of Dodo and iPrimus, has previously come under regulatory scrutiny. In 2020, the Australian Competition and Consumer Commission (ACCC) commenced Federal Court proceedings against Dodo and iPrimus for allegedly misleading customers about their NBN broadband speeds during busy evening hours. In June 2021, the Court ordered Dodo to pay $1.5 million and iPrimus $1 million in penalties, totalling $2.5 million.

At the time, the ACCC noted that Vocus was Australia’s fourth-largest broadband provider, with approximately 5.2% of the National Broadband Network (NBN) market (ACCC, 2021).

Your Next Steps to a Safer Connection

The Dodo and iPrimus hack acts as another reminder that we must all be vigilant about our digital security. While telcos have a responsibility to protect our data, there are proactive steps we can take to safeguard our personal information. Regularly updating passwords, enabling MFA, and staying informed are simple yet effective measures.