When I teach, I explain how most of the breaches and problems you hear in the world aren't about clever hackers or sophisticated attackers, but instead about weak and pathetic security. This has just become my new go-to example.
Basically after you logged into your account as a Citi customer, the URL contained a code identifying your account. All you had to do was change around the numbers and boom, you were in someone else's account.
What that means is that if you were to look at the address in your bar at the top of the browser, it contains the name of the website you're on and (as is typical) a whole lot of other junk like this:
One of the values in the "lots of other junk" area told Citibank who's account to show. If you just entered any random number, the website would think you were the user with that ID and show you their page. Even when this kind of problem was new over a decade ago, it seemed pretty dumb for major websites to be this sloppy. To think that a site run by such a large (and rich) company would make this kind of mistake would be laughable if it weren't so contemptible.
Citi, TJX wants to thank you from the bottom of their hearts for finally doing something so stupid that we can forget about their horrible mistake (at least just a little).