I’ve never read that Citi was hacked. Target wasn’t hacked as much as an admin password was “found”, regardless they read passwords directly from databases, not through users password field entry.
People with privilege logging in remotely having their passwords captured was the root of the problem.
My daughter is finishing up her Masters in Computer Forensics and Security and got all this from a lecture she attended recently, beyond that I don't recall the specifics. I'll take her word as being correct, you take my word as being BS, we'll both be happy.