HSBC Bank has filed breach notice paperwork with the California Attorney General's Office.
From the HSBC breach notification:
What happened in the HSBC breach?
HSBC became aware of online accounts being accessed by unauthorized users between October 4, 2018 and October 14, 2018. When HSBC discovered your online account was impacted, we suspended online access to prevent further unauthorized entry of your account.
What kind of information was accessed in the HSBC breach?
The information that may have been accessed includes your full name, mailing address, phone number, email address, date of birth, account numbers, account types, account balances, transaction history, payee account information, and statement history where available.
The breach notice offers little beyond that information and details on how to sign up for free credit reporting.
However, the bank did give some additional information to The Register, which the publication believes gives insight into how the online accounts were breached:
"We are reminding our customers to protect access to their banking accounts by regularly changing their passwords, and by using unique passwords they are not using elsewhere, including on any social media accounts," an HSBC spokesperson told The Register.
That suggests the accounts were accessed using so-called credential stuffing, in which criminals exploit the fact people reuse the same usernames and passwords across many sites. The hackers may have obtained victims' login details from one website, and used them to log into HSBC online banking accounts that reused the same credentials.
See the HSBC breach notification letter PDF.
[MORE: How to create a password that's easy to remember but hard to guess]
