HSBC discloses security incident

Bank appears to have fallen victim to credential stuffing attack.

Banking giant HSBC disclosed on Monday a security incident that impacted an undisclosed number of the institution's customers.

"HSBC became aware of online accounts being accessed by unauthorized users between October 4, 2018 and October 14, 2018," the bank wrote in a data breach notification letter submitted to Californian authorities.

The bank said it suspended access to online accounts for all impacted customers and initiated procedures for changing passwords for online banking accounts. It also said it added "an extra layer of security" to HSBC accounts, but didn't go into details.

An HSBC spokesperson did not return a request for comment in regards to the number of affected customers, or if the attack impacted international users or US customers alone.

The security incident that HSBC described in its letter seems to fit the characteristics of brute-force password-guessing attempts, also known as a credentials stuffing attack. This is when hackers try usernames and password combos leaked in data breaches at other companies, hoping that some users might have reused usernames and passwords across services.

In its letter, HSBC confirmed that some of these attacks were successful and that attackers gained access to some customers details. Possibly exposed information includes full names, mailing addresses, phone numbers, email addresses, dates of birth, account numbers, account types, account balances, transaction histories, payee account information, and statement histories.

For its part, the bank offered to pay for free credit monitoring and identity theft protection for all impacted users.

This is not the first security-related incident reported by the UK-based bank. HSBC was also the target of a prolonged DDoS attack in January 2016 and July 2016, and it also leaked customer data in April 2015 and March 2010.