Latest news with #credentialStuffing
CNET
3 days ago
- Business
- CNET
23andMe Could Owe You Up to $10,000 After Its Data Breach Settlement
Hackers used a credential stuffing attack to gain access to 23andMe accounts in October 2023. Getty Images/Viva Tung/CNET Users of 23andMe could get paid as much as $10,000, as part of the genetic testing company's massive data breach settlement. 23andMe was struck by a prolonged data breach that allowed hackers to gain personal data for about half of the company's 14 million customers. The company has struggled ever since, filing for bankruptcy in March 2025; it is now being acquired by TTAM Research Institute, a nonprofit being led by 23andMe co-founder Anne Wojcicki, which outbid Regeneron Pharmaceuticals. 23andMe has already started to allow customers to file claims for their shares of the legal settlement related to the data breach. The San Francisco-based company, which allows people to submit genetic materials and get a snapshot of their ancestry, announced in October 2023 that hackers had accessed customer information in a data breach. A January 2024 lawsuit accused the company of not doing enough to protect its customers and not notifying certain customers with Chinese or Ashkenazi Jewish ancestry that their data had been targeted specifically. It later settled the lawsuit for $30 million. "We have executed a settlement agreement for an aggregate cash payment of $30 million to settle all US claims regarding the 2023 credential stuffing security incident," a 23andMe spokesman told CNET. "We continue to believe this settlement is in the best interest of 23andMe customers, and we look forward to finalizing the agreement." A few months after that decision, there's now an official method available to make a claim and potentially get paid by 23andMe, in some cases as much as $10,000. Keep reading to get all the details you need, and for more, find out why T-Mobile settlement checks have been delayed and discover whether you can claim a piece of Apple's Siri privacy settlement. How many people did the 23andMe data breach hit? The settlement could cover roughly 6.9 million 23andMe customers whose data was targeted. To qualify, 23andMe customers must also have been US residents as of Aug. 11, 2023. That 6.9 million number includes around 5.5 million customers of 23andMe's DNA Relatives profiles, which lets people find and connect with genetic relatives. The other 1.4 million people affected by the breach used another service known as Family Tree, which predicts a family tree based on the DNA users share with relatives, 23andMe said. How much money could I get from the settlement? At the top end, 23andMe has said it would pay out up to $10,000 with an "Extraordinary Claim" to each customer who can verify that they suffered hardships as a direct result of their information being stolen in the data breach that resulted in unreimbursed costs. This includes costs from "identity fraud or falsified tax returns," acquiring physical security systems, or receiving mental health treatment. Residents of Alaska, California, Illinois and Oregon who were affected by the data breach can also apply for a payment as part of the proposed settlement, since those states have genetic privacy laws with damages provisions. The payments for these individuals are expected to be around $100, depending on how many people file for them, a settlement document said. Also, a smaller subset of affected users whose personal health information was impacted by the breach will be able to apply for a payment of $100. Infographic: Gianmarco Chumbe/CNET. Photo:Will the 23andMe settlement include anything else? Beyond those payments, 23andMe will also offer impacted users three years of a security monitoring service called Privacy Shield, which filings described as providing "substantial web and dark web monitoring." How can I file a claim for the 23andMe settlement? To file a claim electronically, you can use this official online portal from the Kroll Restructuring Administration. An additional online form is available if you would like proof of your claim sent to you. Potential claimants can also download and print out hard copies of the claim form and proof of claim form if they wish to submit them by mail. If you plan to use this method, send your forms to one of the addresses listed on the claims website. The deadline to make a claim is July 14. For more, you can read about how class-action lawsuits work.
CNET
6 days ago
- CNET
You're Getting Lazy With Your Passwords and Hackers Love It. CNET Survey Finds 49% of US Adults Have Risky Password Habits
It feels like I have a password for everything: my bank account, my Amazon Echo Show and even my Netflix app. With so many different devices and accounts, coming up with unique, strong passwords -- and remembering them -- can be overwhelming. It's tempting to get lazy and use the same password for multiple accounts. It's a relatable move, and it's one scammers are counting on. The risks of using old passwords or including personal information in a new one is a big risk to your data and identity. Repeating passwords could open the floodgates to hackers getting access to more than just your Netflix account. Yet CNET's latest survey shows that almost half of US adults (49%) have risky password habits and 24% admitted to using a password that's shared with another account. That's troubling to Attila Tomaschek, CNET software senior writer and digital security expert. "Reusing the same password across multiple accounts puts users at risk of getting their online accounts compromised through a credential stuffing attack," said Tomaschek. There's not one particular password formula that will guarantee your information is safeguarded. However, there are steps you can take to protect your password and data as best as possible. Here are CNET's survey findings and what our experts recommend when creating or upgrading your password. Key takeaways 49% of Americans have risky password habits 24% of US adults use the same password for more than one account 25% of US adults use a random password generator, a practice CNET experts recommend Cole Kan/CNET What password habits are putting us at risk? CNET's survey found the risky password habits US adults most commonly turn to include reusing a password across different accounts or using personal data as part of a password. While 24% said they use the same password for different accounts, 8% admitted to using a password that they know was compromised in a data breach. "If a malicious actor gains access to a user's login credentials on one account, they could use those same credentials to gain access to other online accounts that share the same credentials," said Tomaschek. Read more: 184 Million Passwords Leaked for Google, Facebook, Instagram and More. How to Protect Your Accounts US adults are also using personal information as a part of their passwords including birthdays or anniversaries (15%), a pet's name (14%), part of the user's name (11%) or a family member's name (11%). Less common password practices include using a password that contains a previous or current street address (6%), a child's name (6%), a common sequence such as "1234" (5%), the word "password" (3%) or the name of a college or professional sports team (3%). Cole Kan/CNET Using personal data in your password may help you remember your login but it also makes it easier for hackers to access your account. "This is especially risky considering the wealth of information that many people share online through social media and other outlets," said Tomaschek. Creating a unique password for each account can minimize that risk. How to create a strong password without forgetting it Not all US adults have lazy password habits. CNET found that one-quarter (25%) of US adults go with randomly generated passwords when creating one, for example, from an online service or Internet browser. That's welcoming news to Tomascheck, who said this is one of the safest options. Randomly generated passwords are substantially more difficult to guess than a user-created password, Tomaschek said. "A good password generator will offer options for the user to customize the length of the password and whether numbers and symbols are incorporated," he said. "The longer and more complicated the generated password, the better." However, a randomly generated password can be impossible to remember, so Tomaschek recommends using a password manager to store each of your unique passwords. CNET recommends Bitwarden as its top recommendation. Read more: No Password Manager? Learn How to Protect Your Online Accounts and Make Logging In Simple The US Cybersecurity and Infrastructure Security Agency recommends making each password 16 characters or longer. Also, use a random mix of numbers, letters, special characters or words. If your password has been compromised, change it right away and keep an eye on any other accounts to make sure they're not impacted.
CNET
10-06-2025
- Business
- CNET
23andMe's Data Breach Settlement: Who's Eligible and Who Can Get $10,000
Hackers used a credential stuffing attack to gain access to 23andMe accounts in October 2023. Getty Images/Viva Tung/CNET Genetic testing company 23andMe was struck by a prolonged data breach that allowed hackers to gain personal data for about half of the company's 14 million customers. Since then, 23andMe has struggled, filing for bankruptcy in March 2025 and eventually being acquired by Regeron. Now that the ownership situation has been settled, the company has begun allowing customers to file claims for their shares of the legal settlement related to that data breach. The San Francisco-based company, which allows people to submit genetic materials and get a snapshot of their ancestry, announced in October 2023 that hackers had accessed customer information in a data breach. As a result, a January 2024 lawsuit accused the firm of not doing enough to protect its customers and not notifying certain customers with Chinese or Ashkenazi Jewish ancestry that their data was targeted specifically. It later settled the suit for $30 million. "We have executed a settlement agreement for an aggregate cash payment of $30 million to settle all US claims regarding the 2023 credential stuffing security incident," a 23andMe spokesman told CNET. "We continue to believe this settlement is in the best interest of 23andMe customers, and we look forward to finalizing the agreement." A few months after that decision, there's finally an official method available for you to make your claim and potentially get paid by 23andMe, in some cases as much as $10,000. Keep reading to get all the details you need, and for more, find out why T-Mobile settlement checks have been delayed and see if you're able to claim a piece of Apple's Siri privacy settlement. How many people were affected by the 23andMe data breach? The settlement could cover roughly 6.9 million 23andMe customers whose data was targeted in the leak. To qualify for the proposed settlement, 23andMe customers must also have been US residents on Aug. 11, 2023. That 6.9 million number includes around 5.5 million customers of 23andMe's DNA Relatives profiles, which lets people find and connect with genetic relatives. The other 1.4 million people affected by the breach used another service known as Family Tree, which predicts a family tree based on the DNA users share with relatives, 23andMe said. How much money could I get as part of the 23andMe settlement? At the top end, 23andMe has said that it will pay out up to $10,000 with an "Extraordinary Claim" to customers who can verify that they suffered hardships as a direct result of their information being stolen in the data breach that resulted in unreimbursed costs. This includes costs resulting from "identity fraud or falsified tax returns," from acquiring physical security systems, or from receiving mental health treatment. Residents of Alaska, California, Illinois and Oregon who were impacted by the breach can also apply for a payment as part of the proposed settlement, since those states have genetic privacy laws with damages provisions. The payments for these individuals are expected to be around $100, depending on how many people file for them, a settlement document said. Also, a smaller subset of affected users whose personal health information was impacted by the breach will be able to apply for a payment of $100. Infographic credit: Gianmarco Chumbe/CNET; Background image:Will the settlement include anything else? Beyond those payments, 23andMe will also offer impacted users three years of a security monitoring service called Privacy Shield, which filings described as providing "substantial web and dark web monitoring." How can I file a claim for the 23andMe settlement? In order to file a claim electronically, you can do so using this official online portal from the Kroll Restructuring Administration. An additional online form is available if you would like proof of your claim sent to you. Potential claimants can also download and print out hard copies of the claim form and proof of claim form if they wish to submit them by mail. If you're planning to use this method, send your forms to one of the addresses listed on the official claims website. The deadline to make your claim is July 14, 2025. For more, read this explainer on how class-action lawsuits work.
Forbes
03-06-2025
- Business
- Forbes
Password Attack — The North Face Confirms Data Breach
The North Face confirms data breach. When it comes to outdoor apparel, fashion brands don't come much bigger than The North Face. When it comes to data-stealing attacks, hackers don't get it much easier than using credential-stuffing tactics. The North Face has now confirmed that just such an easy path has been taken by password attackers who managed to steal names, addresses, purchase histories and telephone numbers from affected customers. Here's what you need to know. The North Face is a major player in the fashion industry, boasting an annual revenue of over $3 billion. It should come as no surprise, then, that it is on the radar of cybercriminals. The American retailer, part of the VF Corporation group, which also owns brands such as Dickies, Timberland, and Vans, has confirmed that it suffered a data breach on April 23. As data breach notifications begin to arrive for affected customers, it becomes possible to reveal what has happened. Confirming that unusual activity was detected on The North Face website, VF Outdoor, LLC, said that 'an attacker had launched a small-scale credential stuffing attack' on April 23. A credential-stuffing attack is when a hacker has access to usernames and passwords from previous breaches, and there are billions of these available online, against other accounts. If your login details are shared across more than one site or service, you are at risk of such an attack. When one account is breached, all others using the same credentials can be compromised by a determined attacker. 'Hackers can get started with credential stuffing attacks by investing as little as $500 in credential stuffing software, access to email and password combo lists, and the use of both public and private proxy services for obfuscation,' Benjamin Fabre, CEO of DataDome, said. The North Face disclosure stated that it quickly disabled passwords to halt the attack, and all users will need to create a new and unique password on the website if they have not already done so. 'We strongly encourage you not to use the same password for your account at our website that you use on other websites,' The North Face said. Information that was compromised included: name, purchase history, shipping address, email address, date of birth and telephone number. However, payment information has not been compromised as a third-party provider handles all site payments. I have reached out to VF Corporation for a statement regarding the password attack impacting customers of The North Face.
The Verge
03-06-2025
- Business
- The Verge
Which fashion brand hasn't been hacked recently?
Which fashion brand hasn't been hacked recently? Now, Bleeping Computer has two more to add to the list, reporting that Cartier has sent emails to customers informing them that info like name, email address, and country of residence was stolen, and that The North Face has apparently suffered its fourth reported credential stuffing incident since 2020.
