More than 19,000 online accounts on a California state platform for welfare programs may have been accessed by hackers for nearly a year.

Officials at the California Statewide Automated Welfare System filed breach notification documents with state regulators earlier this month, warning participants in the BenefitsCal program about an intruder.

A spokesperson explained that BenefitsCal is a portal where California residents can manage benefits related to food assistance, cash aid, general assistance, affordable health insurance and more. 

Officials at the agency discovered on February 9 that “someone who was not allowed” may have logged into the accounts of some BenefitsCal users, abusing reused passwords taken from other websites.

The agency deactivated accounts and began an investigation, finding that hackers had access from March 1, 2023 and February 13, 2024. 

They gained access to names, dates of birth, Social Security numbers, phone numbers, EBT and Medi-Cal numbers and more information.

BenefitsCal said it attempted to secure accounts by requiring users to provide a new password and phone number and reissued EBT cards. They also added other “security changes.”

A spokesperson for BenefitsCal told Recorded Future News said the agency now requires two-step verification. They claimed the incident is not a breach because the platform was accessed using valid credentials stolen from some users.

“The bad actors gained access to the BenefitsCal system using legitimate user IDs and passwords that were stolen online from other websites where BenefitsCal users were using the same login credentials. Users are encouraged to select strong passwords and not reuse the same login credentials for other websites,” they said.  

The breach notification letters do not mention any identity protection services, only telling victims to monitor their accounts and place fraud alerts on their credit files. 

California state systems have been frequent targets in recent months, with the news site BleepingComputer reporting yesterday that the Los Angeles County Department of Health Services was forced to disclose a data breach after the information of thousands was exposed. 

Dozens of other state, county and local governments have also been breached by cyber gangs and ransomware actors over the last year.