Early on Monday, Utah state officials changed their numbers again. In a statement, DTS and UDOH officials said ongoing investigations showed that the compromised data included Social Security Numbers belonging to about 255,000 people whose providers had contacted the UDOH to verify their Medicaid eligibility.

"The victims are likely to be people who have visited a health care provider in the past four months," the statement said. "Some may be Medicaid or CHIP recipients; others are individuals whose health care providers were unsure as to their status as Medicaid recipients."

The state has begun notifying affected individuals about the compromise. Those who had their SSNs stolen will receive one year's worth of free credit monitoring services.

Attacks that take advantage of weak authentication mechanisms continue to be a major problem for enterprises. Though the issue is well understood, many companies with otherwise sound defenses continue to get breached because of their reliance on default or easy-to-guess passwords and knowledge-based authentication (KBA) mechanisms for controlling access to critical network assets and systems.

A recent breach at that exposed debit and credit card data belonging to about 1.5 million people is thought to have resulted from an authentication vulnerability.