Credential Stuffing - HSBC Bank Alerts US Customers to Data Breach: Who is to blame?
HSBC bank is warning some of its U.S. customers that their personal data was compromised in a breach, although it says it's detected no signs of fraud. HSBC says the breach appeared to run from Oct. 4 to Oct. 14. After spotting the breach, the bank says in a notification announcement, it "suspended online access to prevent further unauthorized entry" to affected accounts.
The Telegraph reports that HSBC manages about 1.4 million U.S. accounts, meaning 14,000 customers may have been affected. While HSBC has released scant details, Woodward says this breach has all of the hallmarks of a "credential stuffing" attack. Such attacks involve criminals taking usernames, passwords or other personal data that has been stolen or leaked and using it to access a user's account with other sites or services. Millions of such leaked credentials have come to light.
The best defense against credential stuffing attacks is for users to never reuse a password on more than one site. Unfortunately, many users do reuse their credentials. "This is the underlying problem: People have said: 'Hey, I have a favorite password, it's my cat's name and this is the year that it was born; this is fantastic and I'm going to use it everywhere,'" password security expert Troy Hunt.
"This website B didn't necessarily do anything wrong, but now they've got to deal with the risk of ... an attacker logging in with a victim's credentials," Hunt said. "That's a really hard problem. Now, for the most part there was much support for this and clearly very many likes. But there was also a theme that popped up that needs addressing, and it boiled down to this: You're victim blaming.""
J4vv4d, another well known information security public figure, disagreed with Troy Hunt and thinks what we're lacking is proper awareness and cultural changes, like what happened with car safety. "If you’re like me and grew up in the 80’s, you’ll probably remember going on car trips without wearing seatbelts [...] Fast forward a few decades and it’s inconceivable that I would get in a car and not ‘clunk clink’ [...] But these behavioural changes took decades. There have been sustained awareness campaigns, coupled with increased enforcement to get to the point where it’s almost deemed socially unacceptable."