HSBC has admitted miscreants have probably made off with personal details of thousands of its online-banking customers.
The bank submitted paperwork [PDF] to the California Attorney General's office late last week outlining its plan to notify folks of the significant data theft. California law requires that the AG be notified whenever a computer security breach affects 500 or more residents in the US state.
HSBC would not give the exact number of online banking accounts crooks rummaged through, but it would say the hack affects "less than 1 per cent" of what reports estimate are 1.2 million US customers, meaning as many as 12,000 Americans could have had their personal information and account details fall into the hands of scumbags. Bear in mind, as we've seen with Equifax, that number may rise considerably.
The accounts were likely ransacked between October 4 and 14, this year, we're told.
"We are reminding our customers to protect access to their banking accounts by regularly changing their passwords, and by using unique passwords they are not using elsewhere, including on any social media accounts," an HSBC spokesperson told The Register.
That suggests the accounts were accessed using so-called credential stuffing, in which criminals exploit the fact people reuse the same usernames and passwords across many sites. The hackers may have obtained victims' login details from one website, and used them to log into HSBC online banking accounts that reused the same credentials.
The data likely swiped from the online accounts looks to be highly sensitive and, if put to use by cybercriminals and identify thieves, could be extremely harmful to HSBC and its customers.
HSBC biz banking crypto: The case of the vanishing green padlock and... what domain are we on again?READ MORE
HSBC says the hackers would have been able to siphon off customers' full names, mailing addresses, phone numbers, email addresses, dates of birth, account numbers, account types, account balances, transaction histories, payee account information, and statement histories.
Phishing gold in other words; basically, everything needed to hoodwink marks with carefully crafted emails, and nearly everything (minus the social security number) to steal someone's identity.
"HSBC became aware of online accounts being accessed by unauthorized users between October 4, 2018 and October 14, 2018," the bank will tell those whose details were likely nabbed during the cyber-raid.
"When HSBC discovered your online account was impacted, we suspended online access to prevent further unauthorized entry of your account."
HSBC says that "out of an abundance of caution" it is going to offer one year of free credit monitoring and identity protection to those who were affected. "We have enhanced our authentication process for HSBC Personal Internet Banking, adding an extra layer of security," it added.
It doesn't take an abundance of caution to realize that, if you receive a letter from HSBC, you should take them up on the offer ASAP, ask for a credit freeze, and keep a very close eye on your bank statements in the future. ®