The international financial institution HSBC said it was violated in October. According to the company, names, addresses, transaction history, account information, and more have leaked.
In a Communication [PDF] filed in the state of California, the bank stated that it knew that some online accounts were approached by unauthorized users from 4 to 14 October. The hack penetrated a segment of US bank customers (less than 1 percent of its US customer base), according to BBC company statements, but for the time being they have not released exact figures.
Spread names, addresses, birthdates, and account balances, transaction histories, and account numbers.
"HSBC deplores this and takes responsibility for protecting its customers," the bank said in a statement.
We have warned customers whose accounts may have been tampered with, and we offer them a one-time anti-theft service in their transactions.
The hack seems to have been done with brute force attacks. Attackers managed to find passwords using automated account credentials.
Bryan Becker, application security researcher at WhiteHat Security Reported:
In general, banks require a two-factor authentication, and this stops any attack using credential stuffing. So we have the question: Why did HSBC not use two-factor authentication, or, if it was using, what was the real cause of the violation?