Hackers Leak Bank of America Database of 4 Million Customers

Miklos Zoltan

By Miklos Zoltan . 3 March 2023

Founder - Privacy Affairs

13 Comments

Hackers have released a database that allegedly contains account details of over 4 million Bank of America customers. The leaked data contains sensitive information such as account balances and card CVV codes.

Highlights

  • Hackers released a database allegedly containing sensitive information on 4 million Bank of America customers
  • Data includes user ID, first name, account balance, card expiry date, and card CVV code
  • No email or phone numbers leaked
  • Authenticity of the alleged leak cannot be confirmed

On March 2, on a popular hacker forum, cybercriminals published a database allegedly from Bank of America that contains information on 4 million customer accounts.

The hackers claimed that the database was obtained in January 2023 but have not revealed further information regarding the origin of the breach or how they managed to get their hands on the data.

They claim that the breach affects over 4 million customers and contains account information such as:

  • User ID
  • First name
  • Bank account balance
  • Card expiration date
  • Account type
  • Card CVV code

The database was uploaded on a popular hacker forum for anyone to download for free. We have analyzed the allegedly leaked data, and it does indeed seem to contain what it’s claimed by the hackers.

Bank of America Data Breach

Our Mission

We believe security online security matters and its our mission to make it a safer place.

Authenticity of the leak cannot be determined

However, we cannot determine the authenticity of the data and the leak, as the data contains no email addresses or phone numbers. While this prevents us – or anyone else – from authenticating the leak, it’s good news for potentially affected users, as without this data, the leak the rather “useless” for cybercriminals.

However, and provided the breach and leak is legitimate, it’s not unlikely that the hackers simply opted not to release the more sensitive part of the data. They may decide to sell the complete database at a later date.

While revealing bank account balances, card expiration dates, and CVV codes are extremely serious, this information can still not be associated with any individual person or card.

The data only contains first names, fortunately making it impossible to determine the account holder’s identity.

Card expiry dates and CVV numbers on their own are – again, fortunately – also useless without the complete card number and the account holder’s full name.

As such, while this alleged leak does seem extremely serious, it may, fortunately, turn out to be “harmless” (relatively speaking) and is unlikely to affect account holders in any way.

Of course, this is provided in case there is no more data that simply wasn’t released by the hackers at this time.

As explained initially, it’s impossible to determine the authenticity of this alleged leak, as it’s impossible to reach out to the allegedly affected individuals.

We will update this story as more information emerges.

Privacy Affairs

13 Comments

  • Pedro Hermida

    October 6, 2023 1:07 am

    Dear Miklos,

    I am an IT Pro serving very-small business. Recently, I watched in disbelieve how 2-step authentication based on code-via-text has been violated by actors for both Microsoft 365, hosted e-mail services, and Bank of America.
    Microsoft’s response was “to call the authorities” taking no ownership that is their method the one being circumvented. Bank of America even refused to provide customers the login logs with IP addresses of the connections made.
    I guess “they” will force us all to use authenticator apps … until they get violated too.
    Your take?

  • Anonymous

    September 30, 2023 5:07 am

    I was hacked as well. Over $1,400 went to Western Union. There IS a lawsuit against Western Union for fraud. Also, over $2,300 went to another company similar to Western Union. The money was going to names of people I have never heard of. Then 2 smaller charges for under $200 were also charged to my account. Another few cents were deposited to my account, which is someone trying to see if it will go through. Bank of America was so kind to me and credited my account for all the losses, admitting that my account was hacked and that it did not involve my debit card. I have not used my debit card in many years. All withdrawals were made out of my savings account, which should not have occurred without my approval. Just how did the hackers do it? Additionally, over $2,800 was attempted to be withdrawed from my account, but since the original activity in July 2023, a stop was placed on my account. I had lost consumer confidence, so I withdrew all my money from the bank. A block was placed on my account, so the bank refused the withdrawal and I lost no more money. But the withdrawal request had my name on it! They are very adept at pretending to be me! Change your password, change your debit card, withdraw all your funds if you can and open up an account at another bank. I have been with B of A for over 50 years, and nothing like this has ever happened to me. I feel bad that Bank of America has to absorb these losses. It is not fair, but I appreciate that Bank of America made the issue right and gave me all the necessary credits.

  • Anonymous

    September 26, 2023 4:37 pm

    Ok

  • 13inches

    May 13, 2023 9:11 am

    I have a BOA credit card I haven’t used in over two years. Since I never use this credit card, I felt no need to log in to the BOA bank website to check my credit card balance because I knew the balance was zero. Yesterday I received a voice mail from the BOA fraud department informing me of suspicious activity on my BOA account. Somehow thieves had gotten my user name and password and had logged into my BOA account and the idiots at BOA allowed the thieves to raise the credit limits on my card. Then the thieves attempted to buy $9,000 worth of equipment online using my BOA card. The BOA fraud department blocked the $9,000 purchase – so thus far I have lost no money – but this data breach is much more serious than this article indicates. The thieves have user names and passwords at BOA – and can log in to BOA accounts and raise credit limits and change e-mail addresses to addresses they control. BOA should contact all 4 million accounts that have been hacked, but it seems BOA is trying to sweep the whole breech under the rug. The fraud agent was intimating the hack could have occurred on my computer – which was next to impossible because I haven’t used the BOA card or even logged into BOA for two years. BOA is supposed to be a bank and banks are supposed to have excellent security systems in place – but BOA seems to not want to spend the money necessary to achieve the highest levels of internet security.

  • Jacqueline Williams

    May 10, 2023 5:32 pm

    My husband and I both banked with BOA for over 20 years however now are with a credit union. Thanks to LifeLock by husband just found out that someone tried to open a savings and checking account with his information at BOA so they have his social security information that they got from Bank of America breach. Thanks BOA now all his information is out there!

  • randy moss

    April 21, 2023 9:01 pm

    I got hacked and they ran my card to the limit,,,,now all the things, memberships,,,bills,,,etc… i had tied to those accounts are getting shut down .

  • Anonymous

    April 20, 2023 4:01 pm

    “Authenticity of the leak cannot be determined”! Yes, it’s real. I just got hacked for the 4th or 5th time in the last 12 months! There’s something seriously wrong with BOAs security. I’ve dealt with BOA for 20 years but may have to stop using their cards. It’s a pain ITA waiting for a new card, then changing all the merchant info. Meanwhile, I get dunned for non-payment on auto pay accounts!

  • Anonymous

    April 7, 2023 8:37 pm

    Yes I believe it, I was also affected

  • Victimoffraud

    April 1, 2023 12:34 am

    Last names, social security numbers, phone numbers, credit card numbers tied to the CVVs and expiration dates, account numbers, as well as everything else mentioned in the article have been released. They are posing as Bank of America fraud department and know exactly what to say. It is as though they have access to the accepted dialogue that the actual fraud department uses. It was as though I was actually talking to Bank of America. This was so intricate that it felt like an inside job. I reached out to the FBI.

    • Dirk Rockland

      July 10, 2023 10:18 pm

      Never reply to a link, phone number, etc. sent about an alert – they are provided by the scammers. Go DIRECTLY to the bank’s website, log in, and use only the phone numbers they officially provide.

  • Anonymous

    March 29, 2023 7:30 am

    My accounts were compromised. I am charged with recurring payments fir medical insurance, internet services and gasoline services. That is every month since January. They do have all my info, enough to use it for recurring charges. They took my hard earned money from sleepless nights working on covid crisis that I risked my life with.

    • Bob

      July 10, 2023 10:21 pm

      …and why haven’t you called your bank and let them know? You’re not responsible for fraudulent charges, but you also have to be proactive, let them know, and get the account closed. Use only phone numbers and contact information directly from the bank’s website. Any email or text even if it looks legitimate may be suspect.

  • Anonymous

    March 28, 2023 2:54 am

    There is more information out there that was hacked. ATM bank cards are being used to purchase items as I type now. Trust me!

Leave a Comment