Basically cyber security researchers monitoring the dark web have found credentials in dumps belonging to bank staff, this is concerning but doesn’t necessarily mean bank systems were directly compromised.

Staff members personal devices may have been compromised by infostealers not necessarily key loggers. Different malware but basically with the same end goal.

Or they could have been the result of a phishing campaign. There are a range of tactics, techniques and procedures (TTPs) for credential harvesting used by threat actors (hackers).

Typically initial access brokers obtain the credentials and sell them to other criminals and sometimes provide a small set for free so potential buyers can validate before they buy.

Speaking of TTPs that’s what is alluded to when they say initial access, which is a Tactic under the Mitre Attack framework.

attack.mitre.org/tactics/TA0001/

The banks response that there are systems in place to prevent use of these stolen credentials is more than just 2FA but also conditional access policies, active monitoring and cyber threat intelligence and response.

By the time this was published all identified accounts would have received forced password changes.

I have done cyber security consulting for one of the impacted banks, and I think the article is reasonably well researched but not as clear as I’d like for people unfamiliar with the topic.