Credential stuffing, or using compromised login information to take over accounts, has been around as long as we’ve used passwords to secure our accounts. But, perhaps in part because it's gotten easier for hackers to perform this type of attack, credential stuffing made headlines in recent months.

Look at the 23andMe breach affecting nearly 7 million users. While not every account was compromised via credential stuffing, it was how the hackers initially got in, and then they used a social feature called DNA Relatives to keep going. Hackers gained access to sensitive information like full names and locations, specifically targeting groups like Ashkenazi people, offering the data for sale in bulk online.

Hacking conjures an image of sophisticated, high tech break-ins, but what makes credential stuffing so lucrative is that it's surprisingly “pretty unsophisticated,” Rob Shavell, CEO of online personal information removal service DeleteMe, told Engadget. Hackers will use educated guesses to figure out your password, or just buy old passwords from leaks online to see if they work for different accounts. Tactics used by hackers include using personal information found online to guess passwords or asking a generative AI program to come up with usable variations on a password to get into an account.

Companies frequently fail to protect your data, sticking you with the burden of preventing credential stuffing accounts to the best of your ability. In fact, credential stuffing has become so prevalent, that you’ve likely already fallen victim. Nearly a quarter of all login attempts last year met the criteria for credential stuffing, according to security company Okta’s 2023 State of Secure Identity Report that surveyed more than 800 IT and security decision-makers across fields. Verizon's 2023 analysis of data breaches found that about half of breaches involved stolen credentials. Checking an email address on sites like Have I Been Pwned can show you which passwords may have been compromised, meaning if you’ve reused it on another account, it could be a matter of time until hackers try to use it to get in.

Credential stuffing works because we tend to stick to certain patterns when creating passwords, like using your mother’s maiden name or a childhood address, with small variations to make them easier to remember. “Because we’re lazy, and because we have 50 passwords now, it is the default to just pick one password and use it many places,” chief information security officer at cloud company Akamai Steve Winterfeld said. “The problem is you then are not taking appropriate risk measures.”

That level of risk varies widely. The one-off account you used to try out World of Warcraft years ago and doesn’t have any personal or financial information attached to it probably doesn’t concern you. But hackers are betting you’ve reused an email, username and password for a more lucrative account, like your bank or social media, and they will use credential stuffing to get in. “I have one username and password that I use for things that I’m okay if they’re compromised … that would not financially or brand impact me,” Winterfeld said.

Minimizing the risks you’re taking online by using strong passwords will make it a lot more manageable to start protecting yourself against credential stuffing. Changing passwords frequently, or making the switch to passkeys, can also help. There are other ways you can protect yourself, too, as companies have made it clear that they’ll do anything in their power to shirk responsibility for protecting your information.

First, understand that once a credential is leaked, it can be used to gain access to other accounts, Frank Teruel, CFO at bot prevention firm Arkose Labs, said. So, change passwords for any accounts where you may have repeated it, especially high-profile targets linked to financial or other sensitive institutions. This is where a password manager comes in handy, because some will even flag if a password has been found in a breach and suggest that you change it to a stronger option.

Taking some time to purge accounts you no longer use will greatly reduce the number of password leaks to worry about, too, Teruel said. In the meantime, make it a habit not to reuse passwords or small variations on them, and to change passwords frequently to limit risk.

Toronto Zoo disclosed a cyberattack on Monday, after first detecting it last week and working to mitigate the impact. The zoo reassured the public that the attack did not impact animal wellbeing and support staff, but it was still determining possible consequences for human visitors. 

Canada's largest zoo is investigating the attacker's motives and possible damage to its systems. It's unclear if any guest, member, donor or employee records were impacted. Toronto Zoo did, however, say it does not store any credit card information, so past visitors wouldn't have to worry about that. The zoo remains open for normal operations, and its website is still up and running. 

"Unfortunately, these incidents are becoming more and more common and we are grateful we took steps over the past few years to upgrade our technology infrastructure," Toronto Zoo said in a statement. It contacted the city, local police and third-party experts to help with its investigations.

But questions remain, like why would attackers target a zoo? Money usually motivates hackers, and the zoo does bring in a lot. Besides millions in donations for various projects and government grants, it also generates revenue from its 750,000 visitors each year. 

Zoos have been a target of attacks in the past, too. A cyberattack hit ZooTampa in July 2023 and the Louisville Zoo in 2022, allegedly targeting visitors' personal information. In 2015, two dozen zoos in the United States faced a coordinated attack against a vendor going after visitor credit and debit card information. 

First American, a real estate and mortgage financial firm, experienced a "cybersecurity incident" impacting operations, the company posted on its website on Thursday. The company has not released any details about what happened, but as of the time of publication, its website remained down. 

"First American has experienced a cybersecurity incident," says a statement on its website. "In response, we have taken certain systems offline and are working to return to normal business operations as soon as possible." First American did not immediately respond to a request for comment. 

In 2019, First American came under fire for its handling of sensitive information. It paid a $1 million fine to the New York State Department of Financial Services after a vulnerability in its proprietary "EaglePro" application left data like social security numbers and bank information exposed.

QR code-based phishing attacks appear to be on the rise. For this “new” hacking vector, someone gets a phishing email asking them to scan a QR code, that code redirects to a malicious link (usually to steal credentials) and an account takeover occurs. Local news organizations have warned the public to watch out, security leadership publications tell executives to be careful and security companies really, really want you to call it quishing.

To be fair, there have been some notable headlines about it lately. A large-scale version of this against an unnamed “major” US energy company went after Microsoft logins, according to a Cofense report in August. Security researchers have unanimously reported some level of uptick or spike in the attack vector this year. Even the Federal Trade Commission warned consumers of the dangers.

The fanfare around these attacks, however, mostly outweighs the threat of using QR codes in your daily life. Phishing has been, and will likely always be, a prevalent way to trap victims, and what we’re seeing when people talk about QR code attacks is just another way to do that. That’s why despite how the reports may generalize the dangers of QR codes as a whole, some common sense security practices that you already use to avoid phishing can help you avoid this tactic, too. Other, advanced QR-based attack vectors outside of phishing are likely too technically complicated and low reward for bad actors to attempt, or for you to worry about.

Phishing attacks that work by pointing a victim to a malicious link are incredibly common, and QR codes are essentially just another way to execute them. QR codes are “jumping into a security gap,” said Randy Pargman, director of threat detection at security firm Proofpoint. It forces a victim away from their computer and onto a cell phone or another device, adding a level of distraction. Plus, people are more likely to fall for a phishing link on a mobile device, according to Pargman.

The smaller scale makes it harder to tell what’s legit, for example you can’t easily see a full link to point out discrepancies, and we generally tend to feel safer in our handheld world. Scanning a QR code on a phone takes a victim away from their computer. That could mean it has fewer security plugins installed on its browser that would warn you to stay away from suspicious sites, although more browsers have automatic protections against both. Or, if it's taking you from a work device to a personal device, a security team probably supports the computer, but not your cell phone, with extra protections in place to stop you from falling victim. But on the flip side, this is a lot less efficient for scammers to set up. It assumes the victim has access to two devices, rather than just clicking a link.

Plus, people tend to scan the QR codes, even if they’re from an unfamiliar source, because we’re so used to it, according to Fae Carlisle, principal security engineer at VMware Carbon Black. “People are regularly told to scan a QR code to show them a map of a place, to vote in a competition, to visit Instagram, etc,” Carlisle said. “Because of inherent trust, people go along with it.” Hackers seemingly saw this trend and figured out they could exploit it.

While the application of QR codes to phishing attacks is fairly straightforward, the hype around their use in other malicious vectors mostly ends there. Security professionals advise against scanning unknown QR codes, in the same way you shouldn’t plug a random thumb drive into your device. But, while you should always be on guard to protect against phishing attacks, you don’t really have to worry about using QR codes in your daily life because it’s still rare to see them used as a hacking tactic.

This matters because when we think of QR codes, we don’t usually think of getting them in emails. You’re probably more familiar with them from real world interactions, like a call to action on a flier or a scan-to-order menu at a restaurant. Looking at my own inbox and desktop, the instances of getting a QR code are few and far between, with maybe the exception of some multifactor authentication apps and cross-login for VPNs. Basically, for a hacker going after everyday targets, the less effort the better, and plastering a poisoned QR code all over physical space in the hopes someone will scan it is a whole lot of work, according to Pargman. Bulk sending phishing emails is just a heck of a lot more efficient.

While it’s also possible to imagine a link takeover situation, where the destination of legitimate QR codes is redirected to a malicious URL, that really hasn’t been seen yet. Not only is it a lot of effort, but it would require an attacker to identify a widely-used QR code. That would mean sourcing the code information, and then hoping it was worth the work. “Quishing” may be legit, but avoiding QR codes at all costs probably goes a step too far.

If something seems off about scanning a QR code, pause before proceeding. “If you're scanning a menu of the restaurant's and it's asking you to login to your Gmail account to access the menu, that's a highly unexpected step,” said Olesia Klevchuk, product marketing director at security company Barracuda Networks. “Those are the kinds of things we want to be on the lookout for.” But if you just want to learn more about an exhibit at a museum or have a contactless check-in at the gym, you probably have nothing to worry about.

VF Corporation reported in a Securities and Exchange Commission filing on Monday that it had been hit by a cyberattack. The company owns a slew of apparel brands, including Vans, North Face, Timberland, Dickies and more — and it warns the disruption could affect your holiday shopping. 

VF first noticed "unauthorized occurrences" on its IT systems on December 13, it said in a statement to Engadget. While it began to mitigate the damage, VF found that the hackers had encrypted some of its IT systems and stole personal data. It's trying to come up with work arounds so that people can still buy from VF brands, but the $7 billion company said the attack messed with its ability to fulfill orders. 

"At this time, VF-operated retail stores globally are open, and currently consumers can purchase available merchandise, but VF is experiencing certain operational disruptions," a company spokesperson told Engadget on Monday. "At this time, consumers are also able to place orders on most of the brand e-commerce sites globally. However, the Company’s ability to fulfill orders is currently impacted." VF did not confirm who was behind the attack or provide additional details on what delays customers could experience.

The hack comes shortly after VF said it was experiencing financial headwinds at its quarterly earning meeting. It's still unclear whether customer data may have been impacted. 

Be honest: How many times this year have you skipped or scrolled past a much-needed update? Maybe you just wanted to log into Twitter, er, X without setting up multifactor authentication. Putting off these minor inconveniences adds up, and it could lead to an insecure tech setup just waiting to be exploited by an attacker.

So, now you're probably spending a few days sleeping in your childhood bed, and wondering when Uncle Dave will stop talking to you about buying gold stocks. There's never been a better time to take care of the less-than-riveting admin work of locking down your digital life. Here's a quick holiday checklist you and your loved ones (including Dave) can spend an hour doing during your holiday downtime to set up for a more secure year.

Update all your apps and devices

For the most current patches and options, you’ll need to start this security check up by updating all your devices and apps. The companies behind the tech have already done a lot of the work to keep you safe, but it’s your job to make sure that you’re taking full advantage of those updates. I’d recommend starting with operating system updates then apps second because there’s usually some new features reliant on the latest OS within other software. While you’re there, set up automatic updates so that you don’t have to worry about doing this manually in the future.

REUTERS / Reuters

Sign up for or update your password manager

Strong passwords are your first line of defense to keep your accounts safe, but they’re almost impossible to memorize and keep track of. Download a password manager to store this information for you, so that your passwords can be unguessable gibberish that you’ll actually use. Long term, it’s important to change these passwords every 90 days or so, and never to repeat across accounts. A password manager will help remind you of that, and even generate new password ideas for you. Unique and regularly-changing passwords help prevent attacks like credential stuffing, as we’ve seen make headlines in the recent 23andMe data breach.

Make sure you’re using MFA or, ideally, passkeys

Strong passwords are important, but it's well-known that they aren’t enough to keep unauthorized actors out of your account. Most people are familiar with using a text message code to grant access to an account. If you’re taking time out of your day to set this up, however, I would recommend using a third-party authenticator app or a hardware key for more secure options. Or, for companies that have switched to allowing passkeys at login, that’s usually your best bet.

This will be one of the more tedious parts of the checklist, so if you can’t sit down and knock out your major logins now, at least push yourself to make these changes each time you log into a website over the next couple of weeks. Being stuck with family for the holiday might not be your preferred opportunity to make this change, but there's sure to be an upcoming major snowstorm or bout seasonal depression just screaming to be harnessed for your technological well-being.

Consider a VPN, or at least a more secure browser

A strong VPN will keep your web browsing private. Whether it’s free or paid for, defaulting to using a VPN adds an extra layer of security to the work you’re doing online. Most have options to use it across different devices, or to run automatically on startup so that you can set it up once and forget about it. I would also recommend switching over to a secure browser like Tor that runs on a privacy-first platform for more sensitive online matters. Of course there’s a catch: VPNs and Tor can both slow down your browsing, or break certain website features. Updates to the services have helped over time, but even if you use it for just a portion of web browsing, some protection is better than none.

RapidEye via Getty Images

Get up to date on the latest hacks and attack vectors

Keeping up with security news will help you determine what accounts need special attention versus where you can go on autopilot. Once you know whether a breach may have occurred or a password has been leaked, you can quickly make changes to accommodate. Websites already exist to see if you’ve been in a data breach, and most companies have an obligation to tell you if they’ve been impacted. When you also stay up to date on the latest scams and attacks, you know what red flags to look out for in your own inbox to stay proactive.

Tell brokers to stop selling your data

It’s surprisingly easy to stop companies from trading your privacy for cash. On top of getting in the habit of not sharing your cookies or granting location data, you can opt out of working with the top three major data brokers. Axiom, Oracle and Epsilon all have slightly different variations of the same form to fill out so that information like your home address and relatives’ names aren’t being sold for profit. This is a good start to getting your online privacy back, however, it can be more of a headache than just one opt out form.

You have to do this frequently to make sure your information hasn’t been readded to any of the broker sites, and if your information has already been sold to marketing companies, it’s too late to undo it. There are subscription service sites that can help track and continuously delete whatever information pops up for you, but starting with just Axiom, Oracle and Epsilon will still be a free, worthwhile step toward more privacy.

Samsung

Back up everything

Get an external hard drive or connect to the cloud and keep all of your data backed up. Do this regularly, so that even if your device quits or gets ransomed by an attacker, you aren't completely screwed. I’d recommend opting for something that can be set up automatically, so that you don’t have to keep constant track of it. That could look like spending the 99 cents per month on extra iCloud storage (or Google Drive or another in-house cloud tool) so that your phone gets backed up each night while you’re asleep. Windows and Mac also both do auto updates to an external drive on desktop, so you can set it and forget it.

Alternatively, you could install backup software onto a device so that it’s taken care of by a third party, but that may be less intuitive to set up. Just don’t forget to clean up your data storage every once in a while, too, so that you’re not holding onto useless screenshots or pictures of your ex from years ago that are taking up valuable space.

Make a plan to check in on your security settings more frequently

It’s overwhelming to play catch up. Going through a list like this can seem intimidating if you haven’t worried about it before. If you set up automatic updates and backups, it’ll take some of those repeat tasks off your plate. But since you’ll already, hopefully, be setting new passwords once a quarter, you can do a quick check up on your other security measures too. See if you’ve been a victim of a breach or identity theft, keep telling data brokers to get their hands off your information and find out if new VPNs or other software has been released that could make your security setup more seamless. Making it a part of the routine is much easier than annual sprees, and can help you catch a cybersecurity problem before it becomes unmanageable.

A Senate Finance Committee inquiry revealed on Tuesday that police departments can get access to private medical information from pharmacies, no warrant needed. While HIPAA may protect some access to personally identifiable health data, it doesn't stop cops, according to a letter from Senator Ron Wyden, Representative Pramila Jayapal and Representative Sara Jacobs to the Department of Health and Human Services. None of the major US pharmacies are doing anything about it, either, the members of Congress say. 

"All of the pharmacies surveyed stated that they do not require a warrant prior to sharing pharmacy records with law enforcement agents, unless there is a state law that dictates otherwise," the letter said. "Those pharmacies will turn medical records over in response to a mere subpoena, which often do not have to be reviewed or signed by a judge prior to being issued."

The committee reached out to Amazon, Cigna, CVS Health, The Kroger Company, Optum Rx, Rite Aid Corporation, Walgreens Boots Alliance and Walmart about their practices for sharing medical data with police. While Amazon, Cigna, Optum, Walmart and Walgreen said they have law enforcement requests reviewed by legal professionals before complying, CVS Health, The Kroger Company and Rite Aid Corporation said they ask in-store staff to process the request immediately. Engadget reached out to the pharmacies mentioned in the letter about the claims. CVS said its pharmacy staff are trained to handle these inquiries and its following all applicable laws around the issue. Walgreens said it has a process in place to assess law enforcement requests compliant with those laws, too, and Amazon said while the law enforcement requests are rare, it does notify patients and comply with court orders when applicable. The others either haven't responded or refuse to comment.

The pharmacies mostly blamed the current lack of legislative protections for patient data for their willingness to comply with cop requests. Most of them told the committee that current HIPAA law and other policies let them disclose medical records in response to certain legal requests. That's why the Senate Finance Committee is targeting HHS to strengthen these protections, especially since the 2023 Dobbs decision let states criminalize certain reproductive health decisions. 

Under current HIPAA law, patients have the right to know who is accessing their health information. But individuals have to request the medical record disclosure data, instead of health care professionals being required to share it proactively. "Consequently, few people ever request such information, even though many would obviously be concerned to learn about disclosures of their private medical records to law enforcement agencies," the letter states. The letter also urges pharmacies to change their policies to require a warrant, and publish transparency reports about how data is shared. 

Hannah Shaw, better known as the “Kitten Lady,” teaches people how to care for neonatal cats, and has raised more than $1 million for animal shelters and rescues. Her Facebook page has gained over a million followers since she began making cat content, but she almost lost it all to a social engineering hack that took over access to her Meta business account.

“I built that community for more than a decade. Thinking that I might lose it was pretty devastating,” Shaw said.

Influencers rely on platforms like Facebook, Instagram and YouTube for their income. These sites have evolved from side project enablers to the sole source of income for some content creators. However, bad actors have found ways to also take a piece of the piece from those earning an honest living there. Yes, high-level hackers tend to seek entities with deep pockets, targeting them with highly complicated attacks. But much of the cyber criminality today is social engineering jobs, ripping off mid-level creators with much fewer resources than a multinational corporation, but also significantly less technical know-how.

A creator who goes by Hobby Bobbins — who gained a cult following within her niche of vintage clothing restoration — walked me through how all of this happened to her. The attack occurred in almost the exact same steps that led to Shaw’s account takeover. It started with an interview request from an individual going by Rex Hall, who claimed to be a manager for the show “Podcast and Chill with MacG.” This appears to be a real podcast, although no one named Rex Hall seems to be publicly associated with it. (We reached out to the podcasters to determine if they're aware their brand is being used to perpetrate a social engineering scheme and have not heard back.) "Podcast and Chill" is based in South Africa, and according to its Twitter bio, its purpose is in part for "documenting black excellence.” It doesn’t specifically focus on the topics Shaw or Bobbins cover, like animal wellness or vintage clothing. But influencers receive these requests constantly, the podcast hosts had a digital footprint and "Rex" was able to answer any questions that Bobbins had.

The malicious actor asked their targets to hop on a Zoom call for pre-interview prep, including setting up Facebook Live to bring in revenue. “Everything seemed normal at first, the only odd thing was his camera was not on. But even that is not too odd, a lot of people don’t want to be on camera,” Shaw said. After a labyrinth of back and forth over backend settings, the scammer leads their targets to a backend setting called “datasets.” It’s an obscure page, often used to give people admin access to a business account. But victims thought it was a normal part of setting up for Facebook Live because it does include event management options.

Both Shaw and Bobbins pushed back on the request to access datasets and turned off their screen sharing to avoid giving too much away. But the hackers still got in by insisting they help with setup, saying that they needed to view one seemingly innocuous link. In datasets, creators generated a unique URL that the scammers could use to get into the account. “When he captured that direct URL, it basically generated that email invite for him without ever having to access my email without him even needing to know a password or anything,” Bobbins said. “All he had to do was put in the link and accept the invite and then it automatically added his own personal Facebook to my page.”

After gaining access, "Rex" was able to make themself an admin of the page. With that power, they could remove Bobbins’ ability to log in. Support tickets with Meta sent her in circles trying to get her account back. Bobbins’ lost her way to communicate with her 400,000 followers, and hackers deleted years of content she had dedicated her career to making.

The scammers cleaned the page to make room for bogus links that led to ad-filled sites to generate easy revenue. They put in a list of about 100 blocked words so that followers couldn’t flag to each other that the account had been hacked. “Anybody who commented on my page that said ‘stolen’ or ‘hacked’ or ‘scam’ or whatever would be automatically blocked out. So, none of my other followers could see the people who knew that my account was hacked,” said Bobbins. She lost an unknown number of views and “hundreds of dollars” worth of sales each day that her account had been taken over.

Shaw and Bobbins both went to Meta for help, but it was fruitless. “There is zero support for a problem like this with Facebook,” Bobbins said. Resetting her password went nowhere, because it couldn’t change the admin settings that the hackers had changed. When Bobbins finally figured out how to contact the help desk at Facebook with a support ticket, it was closed out “almost instantly” with no help received, she said. In response to our questions about this attack vector or what they’re doing to help creators keep accounts secure, Meta recommended users implement multifactor authentication and report any issues to its support center. But Shaw and Bottoms both have two-factor authentication turned on, and their accounts still got taken over. Meta did, however, introduce better customer service as a feature in its paid verification package earlier this year, another way social media platforms are charging for security features.

Shaw got her account back in about 72 hours from the initial attack by using her following to find a person who could help, but Bobbins wasn’t as lucky. She’s still struggling with access today, over a month since the hack occurred. She briefly got back in and was able to begin manually reuploading her past content. Beyond that, those who accessed the accounts changed location permissions, turned off messaging capabilities, removed her shop from her page, blocked certain followers and took away her $5 per month subscribers. The web of damage became so widespread, Bobbins created a list of the footprints left by the attacker to help others undo the changes. Since the account takeover, Bobbins has struggled to keep access to her account, with unusual flags on seemingly unwarranted copyright violations and other issues kicking her out.

“There’s no extra step that can be taken right now to protect somebody from the thing that I just went through,” Bobbins said. The only prevention for a crime like this is spreading the word, so that others don't fall for the same social engineering trick. That’s why Shaw is helping bring together more than a dozen of other victims of the same scam to minimize damage and call for greater creator security.

Still, there’s no real solution without the platforms creating major change. Platforms should do a better job of quickly investigating complaints from followers because right now the onus is on the page owners to figure it out, said Eva Velasquez, president and CEO of the Identity Theft Resource Center. While there are a lot of prescribed processes for traditional identity theft, like freezing your credit, there aren’t well-defined practices for social media account takeovers because creators are at the mercy of these platforms.

If you stumble upon what appears to be an account takeover as a follower, Velasquez recommends getting in touch with the creator outside of that specific platform to let them know a hack is occurring. Victims of an account takeover can also alert the Internet Crimes Complaint Center about the incident, but there’s not much else they can do. Or, creators can avoid using the platform altogether. “At this moment in time, I don't recommend that anybody accepts Facebook Live interviews,” Shaw said.

Foreign governments likely spy on your smart phone usage, and now Senator Ron Wyden's office is pushing for Apple and Google to reveal how exactly it works. Push notifications, the dings you get from apps calling your attention back to your phone, may be handed over from a company to government services if asked. But it appears the Department of Justice won't let companies come clean about the practice. 

Push notifications don't actually come straight from the app. Instead, they pass through the smart phone provider, like Apple for iPhones or Google for Androids, to deliver the notifications to your screen. This has created murky room for government surveillance. "Because Apple and Google deliver push notification data, they can be secretly compelled by governments to hand over this information," Wyden wrote in the letter on Wednesday.

Apple claims it was suppressed from coming clean about this process, which is why Wyden's letter specifically targets the Department of Justice. "In this case, the federal government prohibited us from sharing any information and now that this method has become public we are updating our transparency reporting to detail these kinds of request,” Apple said in a statement to Engadget. Apple's next transparency report will include requests for push notification tokens, according to the company. Specifically, Wyden asks the DOJ to let Apple and Google tell customers and the general public about the demand for these app notification records. Google did not respond to a request for comment by the time of publication.

It's even more complicated because apps can't do much about it. Even if there's an individual pledge for security, if an app delivers push notifications, it must use the Apple or Google system to do so. In theory, this means your private messaging could be shared with a foreign government if you're getting push notifications from the app. That includes any metadata about the notification, too, like account information.

The revelation about push notifications come at a time when privacy and security have become a selling point. Companies advertise how they'll keep your information safe, but as more loopholes come to light, it's becoming harder to suss out what's actually trustworthy. 

Nuclear research hub, the Idaho National Laboratory (INL), confirmed that it fell victim to a data breach on Tuesday. SiegedSec, a group of self-proclaimed "gay furry hackers," took responsibility for the attack and claimed they accessed sensitive employee data like social security numbers, home addresses and more.

"We're willing to make a deal with INL. If they research creating irl catgirls we will take down this post," SiegedSec wrote in a post announcing the leak on Monday. 

The hacktivist group SiegedSec conducted a high profile attack on NATO last month, leaking internal documents as a retaliation against those countries for their attacks on human rights. The group commonly attacks government and affiliated organizations for political reasons, like targeting state governments for passing anti-trans legislation earlier this year.

While INL hasn't responded to our request for comment yet, a spokesperson confirmed the breach to EastIdahoNews.com. "Idaho National Laboratory determined that it was the target of a cybersecurity data breach, affecting the servers supporting its Oracle HCM system, which supports its Human Resources applications," the INL spokesperson said. The lab said it has reached out to authorities for help on how to proceed as it determines how to handle the breach. 

INL works as a Department of Energy affiliate researching nuclear reactors, among other projects like sustainable energy. It employs more than 5,000 people.