How Credential Stuffing Led to the HSBC Data Breach

How Credential Stuffing Led to the HSBC Data Breach

Yesterday HSBC Bank publically disclosed what appears, on the surface, a relatively minor data breach.

Based in the U.K., HSBC Bank announced unauthorized users gained access to a host of financial and personal information. In an official statement to customers, HSBC Bank said: “The information that may have been accessed includes your full name, mailing address, phone number, email address, date of birth, account numbers, account types, account balances, transaction history, payee account information and statement history where available.”

The accounts were illicitly accessed between October 4 and October 14 of this year. HSBC has taken steps to fortify their accounts since discovering the unauthorized access: “We responded to this incident by fortifying our log-on and authentication processes, and implemented additional layers of security for digital and mobile access to all personal and business banking accounts.” HSBC Bank also suspended online access to prevent other unauthorized entries to affected accounts.

They added: “HSBC regrets this incident, and we take our responsibility for protecting our customers very seriously. We have notified those customers whose accounts may have experienced [unauthorized] access, and are offering them one year of credit monitoring and identity theft protection service.”

HSBC stated less than one percent of their U.S. customer base was affected by the data breach, which may be only about 14,000 people. Compared to some of the most prominent breaches of the past two years, this breach does not compare in sheer number.  

So why does data breach matter if so few people were affected? While it has not been definitively confirmed as of yet, the attack vector these hackers chose to access the HSBC bank accounts should matter a great deal to enterprises: credential stuffing.

In a credential stuffing attack, previously stolen or leaked usernames, passwords, or other personal data are exploited to access users’ other accounts on different sites, networks, or databases. This can create a cascade issue as more breaches mean more passwords exposed and thus more breaches in the future.  

About 232 million credential stuffing attacks afflict financial institutions daily and about 1 in 2,000 are successful, according to Shape Security. Also at particular risk of credential stuffing attacks are hospitality, airlines, and retail enterprises.  

At its core, credential stuffing exploits credential and password reuse. Of course, according to identity management best practices, users shouldn’t reuse passwords and instead generate a unique password for every account. However, users continue to use repeated passwords quite frequently despite the warnings. Credential stuffing can severely harm your business, as users may reuse passwords to access their work accounts…including access to your most sensitive digital assets.

The HSBC data breach was relatively minor. However, a credential stuffing attack on your enterprise might not be as inconsequential. You need to take the steps to prevent such an attack from affecting your business:

  • Train your employees on the importance of secure authentication practices, and how they can participate in your identity security policies.
  • Ensure your employees and privileged users understand the dangers of repeated passwords.  
  • Enforce a “unique password” culture in your enterprise, and prevent reused passwords on your employee’s accounts when possible.
  • Make access management and secure passwords a consideration in any employees promotion or raise discussions.

Credential stuffing is the digital equivalent of thieves kicking in the door. Every reused password weakens your door all the more. Every unique password, on the other hand, can reinforce the door…and keep your valuables safe.

Other Resources: 

Ben Canner

Ben Canner

Ben Canner is an enterprise technology writer and analyst covering Identity Management, SIEM, Endpoint Protection, and Cybersecurity writ large. He holds a Bachelor of Arts Degree in English from Clark University in Worcester, MA. He previously worked as a corporate blogger and ghost writer. You can reach him via Twitter and LinkedIn.
Ben Canner