credential stuffing
Coverage of credential stuffing in the Nexus archive.
- California sues 23andMe, alleging it failed to protect user data in 2023 breach
California’s attorney general sued Chrome Holding Co. (formerly 23andMe) for failing to protect user data in a 2023 breach affecting 7 million people. The breach, using credential stuffing from a 2017 MyHeritage data leak, allowed attackers to access 14,000 accounts and steal genetic data, health reports, and relative information, which was later sold on the dark web. The lawsuit seeks penalties and injunctions against the company for violating privacy laws.
- No Exploit Needed: How Attackers Walk Through the Front Door via Identity-Based Attacks
The cybersecurity industry has focused on sophisticated threats like zero-days and AI-generated exploits, but stolen credentials remain the most reliable entry point for attackers. Identity-based attacks, particularly through credential stuffing, are a dominant initial access vector in breaches.