Social Security numbers and passwords for more than 60,000 CAF beneficiary accounts have been leaked onto the Internet. Particularly sensitive data that is now at the mercy of cybercriminals…
Another blow for the Family Allowance Fund (CAF)! After a hack last February that led to the disclosure of 600,000 accounts on the Web (see our article), the organization is the victim of a major data leak. Indeed, Damien Bancal, computer security researcher of the blog Zatazhas discovered a mountain of information relating to CAF accounts on the Dark Web. The Social Security numbers and passwords of more than 60,000 French people have been revealed. Particularly sensitive data, exposing beneficiaries to serious risks…
CAF leak: Social Security numbers and passwords stolen
The theft of social security numbers is particularly worrying. Indeed, this unique identifier composed of 13 characters allows you to connect to the CAF, coupled with a password, but also to access health services and carry out most administrative procedures in France. In addition, it is impossible to modify it, as one could do for a compromised password.
Worse still, the hacker also managed to steal the passwords associated with the social security number, which gives those with the pair of identifiers plenty of time to connect to the CAF account of a French person and steal their identity, access sensitive information and modify bank details to divert the payment of benefits. In addition, the social security number can be used to carry out phishing campaigns – including by telephone.
Not to mention that the social security number can be used to access various public services – Ameli.fr and the tax website in particular – and to abuse certain systems such as FranceConnect. Because yes, with this shared identification system, a single identifier and password are enough to securely access more than 1,400 sites and services – connect to your Ameli account, apply for a passport on the ANTS website, access France Identité, the application containing a digital equivalent of the identity card, etc. (see our practical guide).
It remains to be seen how this data could have been recovered, as the CAF has not recently reported any hacking. Zataz teams are suggesting that it could have been recovered by malware specialized in collecting sensitive information, known as infostealers. This same hacker had previously released data that he had named “La Banque Postale” as well as access to several thousand French taxpayer accounts.