The international financial giant HSBC fell victim to a cyber attack using stolen credentials (credential stuffing).
According to the HSBC notice, the incident took place last month. As it became known to the bank, in the period from 4 to 14 October, unauthorized access was obtained to some user accounts. The attack affected only HSBC customers in the United States and only 1% of all American customers (the exact number of victims was not specified).
As a result of the incident, the attackers managed to steal the names, addresses and birth dates of users, as well as banking information such as account numbers and balance sheets, transaction history and recipient account numbers. Whether the stolen data was used for criminal purposes is not specified.
The credential stuffing attack is based on automated selection of the corresponding passwords resulting from past leaks to the accounts. It is rather strange that HSBC clients could become victims of such an attack, since banks usually use two-factor authentication, and simple brute force should not work. The question arises why HSBC does not use two-factor authentication, and if it does, what then is the true cause of the leak?
HSBC sent out to customers whose accounts were affected by the attack, relevant notices and offered them a free credit history monitoring and identity theft protection service for one year.