Please be Aware: Credential Stuffing Attack

Credential Stuffing Attack

On the evening of February 17th, a significant Credential Stuffing Attack occurred that involved unknown parties trying to guess username and password credentials for Citadel Online Banking accounts. Citadel’s security defenses identified the attack promptly, and we were able to effectively defend our technical environment and members’ accounts.

This specific attack involved over 50,000 attempted logins from more than 37,000 different IP addresses. It is important to note that Citadel’s Information Systems have not been compromised and no member’s account was accessed in an unauthorized manner.

What is “Credential Stuffing?”

Credential stuffing is a cybercrime tactic in which criminals use login credentials that were previously exposed due to prior security events/breaches at organizations like Yahoo, Facebook, Door Dash, etc. The cybercriminals create a computer script with the list of exposed credentials and ultimately attempt to gain access to a website such as Online Banking.

How do I know if my account was involved?

Our system would have identified a failed login to your Online Banking account and you would have received an email advising of the log-in failure. After multiple failed log-in attempts, your account would be locked for security purposes. If you have any questions about whether this happened to you or not, please call us (800) 666-0191.

What can I do?

Cybercriminals are aware that consumers regularly use the same usernames and passwords for many of their online logins. To be safe, consider changing your passwords on all accounts and avoid repeating the same password for different logins. Citadel recommends making passwords as unique and complex as possible.