California Sues 23andMe Over 2023 Data Breach Affecting 7 Million Users
California Attorney General Rob Bonta filed a lawsuit against 23andMe over a 2023 data breach that exposed personal data of 7 million users. The breach led to user information being sold on the dark web.
California Attorney General Rob Bonta announced a lawsuit against genetic testing company 23andMe on Friday. The legal action stems from a 2023 data breach that compromised the personal information of approximately 7 million users. Bonta's office alleges that 23andMe failed to adequately protect sensitive user data, violating state consumer protection and privacy laws.
The breach, which came to light in October 2023, involved attackers gaining access to user profiles through credential stuffing attacks. The stolen data included names, birth years, ancestry information, and in some cases, health-related genetic data. The information was subsequently listed for sale on dark web marketplaces, raising concerns about identity theft and privacy violations.
According to the complaint, 23andMe did not implement sufficient security measures to prevent such attacks. The lawsuit claims the company neglected to enforce multi-factor authentication or adequately monitor for suspicious login attempts. Bonta stated that the company's actions demonstrated a disregard for user privacy and security obligations under California law.
The lawsuit seeks civil penalties and injunctive relief to compel 23andMe to strengthen its data security practices. California's Consumer Privacy Act and the state's Unfair Competition Law are cited as the legal basis for the action. Bonta emphasized that companies handling sensitive genetic data must uphold the highest standards of protection.
23andMe responded to the lawsuit by stating that it cooperated with law enforcement during the breach investigation. The company noted that it has since implemented additional security measures, including mandatory password resets and enhanced monitoring. However, the attorney general's office argued that these steps came too late for the millions of affected users.
The breach has broader implications for the genetic testing industry, which collects highly personal and immutable data. Privacy advocates have long warned about the risks of storing such information, as genetic data cannot be changed like a password. The lawsuit could set a precedent for how companies must safeguard biometric and genetic information.
23andMe faces similar legal challenges from class-action lawsuits filed by affected users. The company has also been under scrutiny from federal regulators, including the Federal Trade Commission. The California lawsuit adds to mounting pressure on the company to overhaul its data security practices.
A court date has not yet been set for the case. The attorney general's office is seeking an order requiring 23andMe to implement comprehensive security protocols and to pay restitution to affected consumers. The outcome of this lawsuit could influence future data protection regulations for companies handling sensitive personal data.
Fake GTA 6 files circulate online, cybersecurity experts warn
Following a GTA 6 pre-order leak, phishing scams have accelerated. Cybercriminals are distributing viruses and malware to players under the guise of early access files.
Cybersecurity researchers have detected a surge in fraudulent files claiming to be Grand Theft Auto 6 early access content. The campaign follows a recent pre-order leak that generated significant attention among gaming communities.
Attackers are distributing these malicious files through social media posts, torrent sites, and direct messages. The files often contain trojans, ransomware, or keyloggers designed to steal personal information.
Rockstar Games has not announced any official pre-order or early access program for GTA 6. The company has not released a release date for the title, which remains in development.
Security firms advise players to avoid downloading any files labeled as GTA 6 early access. Official announcements will come only through Rockstar's verified channels.
The phishing attempts have been reported across multiple platforms, including Discord, Reddit, and YouTube. Some fake download links mimic official Rockstar websites.
Users who have downloaded suspicious files should run antivirus scans immediately. Changing passwords for gaming accounts and enabling two-factor authentication is recommended.
Rockstar Games has not commented on the ongoing scam. The company typically issues warnings about such threats through its official support channels.
Gamers are urged to remain vigilant and rely solely on official sources for GTA 6 information. No legitimate early access files exist at this time.
New FROST Technique Lets Websites Spy on Visitors via SSD Activity
Researchers have developed a new side-channel attack called FROST that exploits solid-state drive timing to track visitors' browsing history and open applications. The technique measures subtle interactions with SSDs through the OPFS API, allowing websites to monitor other sites a user is viewing and what apps are running.
A new technique called FROST (fingerprinting remotely using OPFS-based SSD timing) enables websites to spy on visitors by analyzing subtle interactions with their solid-state drives. The method, detailed in a research paper, exploits a side channel that leaks information through physical manifestations such as the time required to complete a task. By measuring these timing variations, attackers can infer which other sites a visitor is viewing and what applications are open on their device.
The technique leverages the OPFS (Origin Private File System) API, which is designed to provide web applications with high-performance file access. Researchers discovered that the timing of SSD operations can be measured through this API, creating a side channel that reveals contention for storage resources. When multiple processes access the SSD simultaneously, the resulting delays can be detected and used to infer activity on the device.
FROST represents a significant evolution in browser-based tracking methods. For decades, websites have employed various covert techniques to track visitors, including browser fingerprinting, keystroke logging, and mouse movement analysis. Even major companies like Meta and Yandex have been caught engaging in privacy-invasive tracking. The new SSD-based approach adds another dimension to these surveillance capabilities.
The attack works by measuring the time it takes to perform read and write operations on the SSD through the OPFS API. When a user visits multiple sites or runs multiple applications, the SSD experiences contention as it handles concurrent requests. By analyzing the timing patterns of these operations, a malicious website can determine what other sites are open in the browser or what native applications are running on the system.
Researchers demonstrated that FROST can achieve high accuracy in identifying specific websites and applications. The technique does not require any special permissions or user interaction beyond visiting a webpage. It works across different browsers that support the OPFS API, including Chrome, Edge, and Opera. The attack is particularly effective on systems with NVMe SSDs, which have more predictable timing characteristics.
The discovery raises significant privacy concerns, as users have no easy way to prevent this type of tracking. Unlike cookies or browser fingerprinting, SSD timing attacks cannot be blocked by traditional privacy tools like ad blockers or anti-tracking extensions. The only mitigation currently available is to disable the OPFS API entirely, which would break legitimate web applications that rely on it.
The research paper was presented at a security conference and has been shared with browser vendors. Google and Microsoft have been notified of the vulnerability, but no patches have been released yet. The researchers recommend that users remain cautious about which websites they visit and consider using separate browser profiles for different activities to reduce the risk of cross-site tracking.
As of now, there is no easy fix for FROST. The technique exploits fundamental characteristics of SSD storage that cannot be easily changed without affecting performance. Browser vendors may need to implement timing obfuscation or limit the precision of OPFS timing measurements to mitigate the attack. Until such measures are deployed, users are advised to be aware that their SSD activity can be monitored by websites.
Google Engineer Charged with Insider Trading, Made $1.2M on Polymarket
A Google engineer has been charged with insider trading after allegedly using confidential information to place bets on Polymarket, earning $1.2 million. The complaint states the engineer risked over $2.7 million on wagers related to Google's 2025 Year in Search campaign.
Federal prosecutors have charged a Google engineer with insider trading, accusing him of using non-public information to profit from bets placed on the prediction market platform Polymarket. The charges, filed in a U.S. district court, allege the engineer made approximately $1.2 million through a series of wagers tied to Google's internal data.
According to the criminal complaint, the engineer risked more than $2.7 million on bets related to Google's 2025 Year in Search campaign. The campaign, which highlights trending search queries, relies on proprietary data not available to the public. Authorities say the engineer accessed this confidential information as part of his role at the company.
The complaint details how the engineer allegedly used his knowledge of upcoming search trends to place bets on Polymarket, a platform that allows users to wager on the outcomes of real-world events. The bets were structured around which topics or phrases would appear in the Year in Search list, giving the engineer an unfair advantage over other traders.
Prosecutors claim the engineer executed the trades through multiple accounts to avoid detection. The scheme reportedly spanned several months, with the engineer placing bets on various categories within the campaign. The total amount wagered exceeded $2.7 million, with net profits reaching $1.2 million.
The case marks one of the first instances of insider trading charges involving a prediction market. Polymarket, which has grown in popularity for its political and event-based betting, has faced scrutiny over potential market manipulation and insider trading. The platform has stated it cooperates with law enforcement and has implemented measures to prevent such activities.
Google has confirmed it is cooperating with the investigation. The company said the engineer has been suspended pending the outcome of the legal proceedings. Google emphasized its commitment to protecting confidential information and stated it has strict policies against insider trading.
The engineer faces charges of securities fraud and wire fraud, each carrying potential prison sentences of up to 20 years. A court date has not yet been set. The case is being prosecuted by the U.S. Attorney's Office for the Southern District of New York.
7-Eleven data breach exposes personal data of over 185,000 individuals
A data breach at 7-Eleven has compromised the personal information of more than 185,000 people, including names, dates of birth, addresses, and Social Security numbers. The breach was disclosed in a state government filing.
7-Eleven has confirmed a data breach that exposed the personal information of over 185,000 individuals. The incident was disclosed in a filing with the state government, detailing the types of data compromised. Affected data includes names, dates of birth, postal addresses, and Social Security numbers, according to the filing.
The breach was discovered during a routine security review, the company stated. 7-Eleven has not yet disclosed the exact method of the breach or how long the attackers had access to the systems. The company is working with law enforcement and cybersecurity experts to investigate the incident.
Customers whose data was compromised are being notified by mail. 7-Eleven is offering affected individuals free credit monitoring and identity theft protection services for a period of one year. The company has also set up a dedicated call center to answer questions from concerned customers.
The breach appears to have targeted a specific database containing personal information. 7-Eleven has since implemented additional security measures to prevent future incidents. The company urged customers to remain vigilant and monitor their financial accounts for suspicious activity.
This incident adds to a growing list of data breaches affecting major retailers. 7-Eleven operates over 70,000 stores globally, though the breach appears to be limited to its U.S. operations. The company has not disclosed the exact number of affected stores or the timeframe of the breach.
7-Eleven has not yet provided a timeline for when the breach occurred or when it was first detected. The company stated that it is cooperating fully with authorities and will provide updates as the investigation progresses. Customers are advised to change their passwords and enable two-factor authentication on their accounts.
The company emphasized that it takes data security seriously and apologized for the inconvenience caused. 7-Eleven is reviewing its security protocols and investing in additional safeguards to protect customer data. The breach is a reminder for consumers to regularly monitor their personal information for signs of misuse.