On Thursday, June 23, the Zataz site reported having spotted an offer offering an archive containing the usernames and passwords of a million users of the Ameli.fr site, the online health insurance service. That is one million social security numbers associated with passwords, the Ameli.fr service using these numbers as login identifiers.
A file more than doubtful
But the offer is dubious in more ways than one. First of all, the seller of the archive does not offer any sample to prove the authenticity and validity of the data, nor any explanation of the origin of these identifiers. The offer only displays a price, 6000 dollars, but the seller does not give more details on his offer, only promising that the data is recent.
In addition, the health insurance indicates that it has not noticed any data leaks on its side. When questioned, the organization rejects this hypothesis: “Thus, if it is not possible to formally establish the source of this list – if it exists, it is nevertheless possible to affirm that it does not come from a new attack on health insurance. L’Assurance Maladie has not noticed any theft in its Ameli account connection identifier data systems. »
The health insurance also indicates that it is not in a position to know whether the numbers stolen during the leak last March are included in the archive proposed by the cybercriminal. There remains one last theory to explain the origin of the data sold: data accumulated by multiple phishing operations targeting Internet users. “If a hacker managed to obtain logins and passwords as claimed by the Zataz site, this can be explained by the fact that he probably managed to deceive the vigilance of insured persons to obtain them”, summarizes the CNAM.
But as already noted by Zataz in his article, this track hardly explains the number of accounts announced by the seller: succeeding in deceiving such a large number of users and bringing together in a single archive all the social security numbers and associated passwords seems amazing. The seller refusing to give more details on the origin of the archive or any samples to verify its authenticity, so it is quite likely that the offer is just another scam on a customary stolen data market.
Phishing is on the rise
Many phishing campaigns targeting access to the Ameli account have nevertheless been noted by the Health Insurance in recent times, “malicious people seeking to obtain their login IDs and passwords directly from policyholders” indicates the communication. Some Internet users report phishing attempts: scammers in possession of a valid security number trigger the password reset process then call the victim on the phone pretending to be Health Insurance in order to obtain the password one-time password sent to the victim’s mailbox. This one-time password is then used to access the user’s Ameli account.
Faced with this phishing campaign, Health Insurance explains that it has implemented a series of measures aimed at alerting users to the risks associated with this type of phishing. The organization thus explains that it has reinforced awareness campaigns for policyholders, as well as the implementation of an automatic email sent each time the account is connected in order to allow the user to verify that no third party has accesses the account without his knowledge.
Numerous health data leaks have been reported over the past few months, some of which may have fallen into the hands of bad guys using them for scams. In March, Health Insurance reported a data leak that allowed attackers to consult the health data of approximately 510,000 insured persons. But health insurance is not the only organization with social security numbers: the data leak that targeted the APHP in September 2021 also contained the social security numbers of around 1.4 million people. residents in Ile de France, as was the data leak that affected several laboratories at the start of 2021.