International banking giant HSBC has reported that it was breached in October, as a result of a credential-stuffing attack.
In a notice [PDF] filed with the state of California, the bank said that it became aware of some online accounts being accessed by unauthorized users between October 4 and 14. The hack affected a segment of the bank’s U.S. customers — less than 1 percent of its U.S. client base, it told the BBC, though exact numbers have not been released. The incident exposed names, addresses and dates of birth, along with banking-specific information like account numbers and balances, statement and transaction histories, and payee account numbers.
“HSBC regrets this incident, and we take our responsibility for protecting our customers very seriously,” the bank said in a statement. “We have notified those customers whose accounts may have experienced unauthorized access, and are offering them one year of credit monitoring and identify theft protection service.”
Further details on the breach – including whether funds were stolen from victimized accounts – have not yet come to light.
Credential-stuffing happens when attackers attempt to brute-force passwords using automated methods to test account credentials gleaned from previous breaches on target accounts. They look for password reuse situations.
“From the organization’s point of view: credential stuffing seems like a suspicious explanation for a bank-account breach,” said Bryan Becker, application security researcher at WhiteHat Security, via email. “Generally speaking, banks require some sort of two-factor authentication, and that should stop any credential stuffing attack in its tracks. This begs the question of either: Why wasn’t HSBC using two-factor authentication, or, if they were, what was the real cause of the breach?”
However, Shape Security’s 2018 Credential Spill Report shows that the U.S. consumer banking industry loses up to $1.7 billion annually as a result of credential-stuffing; and that these attacks account for up to 58 percent of a consumer bank’s login traffic. In terms of granular stats, the report estimates that there are an average of 232.2 million malicious login attempts per day with a 0.05 percent success rate for the consumer banking industry, equating to 116,106 successful account takeover attacks every day, with an average of $400 stolen from an individual account.
“While HSBC did not report that passwords were included in the breached information, it is important to understand that credential stuffing attacks originate with the password for the account in question, so it should be assumed that those passwords have already been breached — just not by HSBC,” said Jarrod Overson, director of engineering at Shape Security, in an emailed media statement. “This is typical for account takeovers due to credential stuffing and, with over 7 billion credential records spilled since 2015, it’s reasonable to assume this could happen to just about anybody.”
HSBC has seen prior security incidents, including DDoS attacks in January and July 2016, and leaks of customer data in 2009 and 2015.