Photo/Illutration The website of SBI Securities Co., Japan’s largest online brokerage (The Asahi Shimbun)

Japan’s largest online brokerage, SBI Securities Co., said on Sept. 16 a total of 98.64 million yen ($939,400) was stolen from six customer accounts after they were apparently hacked.

The money was siphoned into fraudulent accounts set up at Japan Post Bank and MUFG Bank, which a perpetrator opened under the same names of the SBI Securities customers, the company said.

The brokerage said it will fully compensate the customers and has reported the thefts to the police.

According to the company, a third party had somehow obtained information about the customers’ online accounts, including their passwords, and accessed them illegally between July and early September.

They then sold valuable securities in the accounts for cash and transferred the money into the fraudulent accounts at the banks--five accounts at Japan Post Bank and one at MUFG Bank.

The money transferred to those bank accounts has already been withdrawn.

Fake documents, including doctored health insurance certificates, were apparently used to open the bank accounts under the names of the customers who had accounts at SBI Securities.

The scam came to light when a customer noticed irregular transactions and alerted the brokerage about them on Sept. 7.

No evidence has yet been discovered that show its system was hacked, SBI Securities said.

But it believes the thefts occurred as a result of a “list-type account attack,” or credential stuffing attack. In this type of cyberattack, a perpetrator tries to gain unauthorized access by using IDs and passwords that have been compromised and leaked from other sites in the past.

People using the same ID and password for a long time and who reuse their passwords across other sites are susceptible to this kind of attack.

Experts say the accounts at SBI Securities may have been compromised because the brokerage allowed customers to set their passwords on their own.

Related News