October 10, 2023
Good morning, everyone!
This week’s critical vulnerabilities:
Patch All the Things! |
Breaking down the 23andMe incident
This past weekend I read this article: Genetics firm 23andMe says user data stolen in credential stuffing attack and I saw soooo many lessons here. Let's step through 3 of them:
A 23andMe spokesperson confirmed the data is legitimate and told BleepingComputer that the threat actors used exposed credentials from other breaches to access 23andMe accounts and steal the sensitive data....The information that has been exposed from this incident includes full names, usernames, profile photos, sex, date of birth, genetic ancestry results, and geographical location.
This is bad. Really bad. How did it happen? What is a "credential stuffing attack?"
Credential stuffing is a type of cyberattack in which the attacker collects stolen account credentials, typically consisting of lists of usernames or email addresses and the corresponding passwords (often from a data breach), and then uses the credentials to gain unauthorized access to user accounts on other systems
First lesson: (a) Don't re-use passwords across different websites! Especially not on websites with important and/or particularly sensitive information like this. Passwords should be long, strong and unique. Try not to re-use even part of a password, as it makes that partially-new password easier to crack than a brand-new one. (b) Monitor your data that shows up on the dark web (the Internet black market). There are commercial services that will do this for you for a fee, but you can also sign up free of charge to https://haveibeenpwned.com to check if your email or other user name has shown up in a data breach, and get notifications if it shows up later.
The compromised accounts had opted into the platform's 'DNA Relatives' feature, which allows users to find genetic relatives and connect with them. The threat actor accessed a small number of 23andMe accounts and then scraped the data of their DNA Relative matches, which shows how opting into a feature can have unexpected privacy consequences.
Second lesson: Understand what you are doing! Before opting in to anything, it's important to understand what that means exactly, and what are the potential consequences. So as a 23andMe customer, your data could have been stolen even though your account wasn't actually compromised, if you had opted-in to share this data with others and their accounts were compromised. (Reminds me of the Facebook - Cambridge Analytica scandal a few years back: "Facebook allowed this app not only to collect personal information from survey respondents but also from respondents’ Facebook friends. In this way, Cambridge Analytica acquired data from millions of Facebook users.").
23andMe told BleepingComputer that the platform offers two-factor authentication as an additional account protection measure and encourages
Third lesson: Enable 2FA anywhere and everywhere it is available! That is the single most important thing you can do to protect your online accounts.
October is Cyber Security Awareness Month
And CISA has developed some resources to raise awareness and assist in employee training. You will probably recognize their "Four Easy Ways to Stay Safe Online" -- read and share.
Stay cyber safe this week!
Remember, you can read past editions of this newsletter on our website, along with tons more information under the Resources tab.
Have a great week!
Glenda R. Snodgrass
grs@theneteffect.com
(251) 433-0196 x107
https://www.theneteffect.com
For information security news & tips, follow me!
Security Awareness Training Available Here, There, Everywhere!
Thanks to COVID-19, lots of things went virtual, including my employee Security Awareness Training. Live training made a comeback a few months
ago, but many organizations are retreating. No worries. Wherever you and your employees may be, I can deliver an interesting and informative training session in whatever format you prefer.
Contact me to schedule your employee training sessions. They're fun! ☺