How Hackers Stole 200,000+ Citi Accounts Just By Changing Numbers In The URL

Details have emerged has to how hackers were able to steal over 200,000 Citi customer accounts, including names, credit card numbers, mailing addresses and email addresses. It turns out quite easily, in fact. All they had to do was log in as a customer and change around a few numbers into the browser’s URL bar, NYT reports. Facepalm.

Basically after you logged into your account as a Citi customer, the URL contained a code identifying your account. All you had to do was change around the numbers and boom, you were in someone else’s account.

So if the URL was something like citibank.com/user/12345, all you had to do was change it to citibank.com/user/123456 and you had access to all of their account information.

The hackers then used a simple script that automatically scraped all the account information, saved it, and then changed the numbers in the URL and repeated the process. Hundreds of thousands of times.

As someone who has been on the internet for a few years, this is a dead simple and common hack and Citi should have seen it and prevented against it. Seriously, this is kindergarten level stuff. Really, really stupid.

Thieves Found Citigroup Site an Easy Entry [NYT]

PREVIOUSLY
Report: Citi Knew About Credit Card Hack For Weeks Before Going Public
Breach: Citi Says Hackers Stole Hundreds Of Thousands Of Credit Cards

Want more consumer news? Visit our parent organization, Consumer Reports, for the latest on scams, recalls, and other consumer issues.