Flagstar Bank in Michigan has notified more than 1.5 million customers that their information was accessed by threat actors in December 2021. The attack was not discovered until June 2022, at which point the bank immediately rolled out their incident response plan and began notifying customers of the breach. Beyond full names and social security numbers, the extent of the stolen information has not been released; however, the bank has already notified those affected. Along with changing passwords, the bank is also providing two years of free credit monitoring for all those affected. The attackers have not been identified, and there are no indications at the time of writing that any of the information has been used for malicious purposes. This is the second incident Flagstar Bank has suffered in 2021; the bank was breached by the Clop ransomware gang in January 2021 exploiting a zero-day vulnerability in Flagstar’s Accellion FTA servers.
Whenever anyone finds out their data has been part of a breach, they should begin by changing the password to their account for the breached entity as well as any other accounts that may use the same password. When sensitive details such as banking information may have been stolen, it is always a good idea to immediately set up credit monitoring in order to become notified of any new accounts that are being opened using such details. Individuals who have been notified by Flagstar should set up their free credit monitoring as soon as possible, and review their credit reports to ensure no suspicious accounts have been opened.