HSBC has revealed that unauthorized third parties accessed some of its customers' accounts, in what appears to have been an incident confined to its US operations.
The UK lender explained in a customer message posted online by the California Attorney General's Office that the attacks lasted from October 4 to 14.
“When HSBC discovered your online account was impacted, we suspended online access to prevent further unauthorized entry of your account. You may have received a call or email from us so we could help you change your online banking credentials and access your account,” it stated.
“The information that may have been accessed includes your full name, mailing address, phone number, email address, date of birth, account numbers, account types, account balances, transaction history, payee account information, and statement history where available.”
It’s believed that less than 1% of its US customers have been affected, but they’re not limited to Californians.
HSBC said it has “enhanced” its authentication process, presumably to include some form of multi-factor log-in.
Experts agreed the hackers most likely used credential stuffing techniques to force their way into user accounts with previously breached log-ins, rather than effecting a more sophisticated central breach of HSBC’s IT systems.
“Consumers need to increase their vigilance. Reused passwords lost in one breach then become a free ticket to your other accounts,” warned Arxan Technologies VP, Rusty Carter.
“Consumers should employ unique passwords for every site and service they use and change them at least once a year, unless there’s a breach then of course sooner. Secure, paid service or locally run password managers make this easier in many cases than using a password you’ll remember.”
Jarrod Overson, director of engineering at Shape Security, said his firm sees over 232 million account takeover attempts at global financial institutions each day.
“Credential stuffing attacks against banks typically result in about one account takeover per 2,000 attempts, which sounds small but adds up to thousands of accounts over the course of a multi-day or multi-week attack,” he continued. “The damage doesn't stop there — the impact can easily extend to many other services including online retailers, gaming providers, airlines, and other financial institutions."