23andMe responds to breach with new suit-limiting user terms

Trending 2 months ago

Security in brief The adventure of 23andMe's mega abstracts aperture has accomplished article of a conclusion, with the aggregation adage its delving has bent millions of leaked annal originated from adulterous break-ins into aloof 14,000 accounts.

In an update on Tuesday to a blog column administration capacity of the attack, 23andMe said the breach, aboriginal reported in October, was enabled via credential stuffing, through which an antagonist uses username and countersign combinations from added breaches to try breaking into different accounts.

In added words, those hit were accusable of the basal sin of countersign reclaim and not enabling multifactor authentication.

Data stolen, we're told, has been accepted to appear from "DNA relatives" profiles that announce how association may be related, of which 5.5 actor sets of abstracts were stolen. Data swiped in the aperture included names, ancestor information, self-reported location, bearing year, links to ancestors trees, and annihilation that may accept been included in self-descriptions added to user profiles. 

An added 1.4 actor sets of Family Tree abstracts was baseborn as well, 23andMe said, which includes agnate advice as able-bodied as relationships to the individuals whose accounts were compromised. 

In response, 23andMe seems actual anxious at the abeyant acknowledged ramifications of the breach, and has adapted its agreement of account in what appears to be an attack to abstain a beachcomber of lawsuits.

A side-by-side allegory of 23andMe's new agreement of service, anachronous November 30, and its previous adaptation from October 4 (prior to the breach), teased out a new altercation resolution aeon of 60 canicule during which afflicted barter accede to "first attack to accommodate any altercation artlessly … afore either affair initiates any adjudication or cloister proceeding." 

  • Hollywood plays aimless Cameo in Kremlin artifice to discredit Zelensky
  • Five Eyes nations acquaint Moscow's mates at the Star Blizzard assemblage accept new phishing targets
  • Apple and some Linux distros are accessible to Bluetooth attack
  • Cisco intros AI to acquisition firewall flaws, warns this array of affair can't be free

Per Axios, 23andMe's agreement additionally accommodate a accouterment that agency barter automatically access changes to the agreement and altitude unless they formally abatement (email link) the agreement in an email aural 30 canicule of actuality notified of the changes. 

Critical vulnerabilities of the week

With it actuality the end of the year, there's beneath to report, so lots of analytical vulnerabilities that we'd commonly accommodate actuality accept been covered already. 

As usual, however, there's affluence of ICS advisories to report, admitting alone a brace arete acknowledgment as analytical threats. 

  • CVSS 9.8 – CVE-2023-3346: A archetypal absorber overflow vulnerability in "all versions of Mitsubishi Electric CNC alternation devices" can account DoS and acquiesce RCE.
  • CVSS 8.1 – Multiple CVEs: Sierra Wireless AirLink routers with ALEOS firmware versions above-mentioned to 4.9.9 and 4.17.0 accommodate several vulnerabilities that can advance to credential theft, DoS, RCE, and absolute takeover.

Hundreds of laptops stolen

A accepted cartage stop in California's Yolo County has led to bristles arrests and the accretion of a accumulation of laptops baseborn from "a acclaimed Bay Area tech company." 

Sheriff's assembly in Yolo County, northwest of the burghal of Sacramento and arctic of San Francisco Bay and Silicon Valley, pulled a agent over for asleep tags recently, and spotted laptops in the agent branded with the above – but bearding – tech aggregation on them, arch to added investigation. 

"After weeks of absolute probing, detectives unraveled a adult retail annexation arena involving assorted individuals," the sheriff's administration said in a Facebook post Monday. "Executing chase warrants above Woodland [a burghal in Yolo County] led to the alarm of bristles suspects and the accretion of 114 baseborn laptop computers." 

It's cryptic if the laptops were tampered with to abstract information, or if the miscreants were artlessly attractive for accouterments to cast for a quick profit. 

Ransomware assemblage all-overs bottomward staffers... individually

Health affliction articles and casework close Henry Schein has been addled back an October cyber attack allegedly perpetrated by the belled AlphaV/BlackCat ransomware gang, and it's now sending belletrist to advisers whose abstracts – lots of it – has allegedly been baseborn as a aftereffect of the hit. 

Letters are reportedly activity out to some 29,112 Henry Schein advisers accomplished and present advertence that their names, DoBs, demographics, assorted forms of government-issued ID, banking information, application details, photographs and added accept been purloined by cybercriminals.

To accomplish affairs worse, talks amid HS and AlphaV allegedly bankrupt bottomward aftermost month, causing AlphaV to re-encrypt the company's systems and beating applications offline again [PDF]. It looks like AlphaV either never absent acceptance admitting HS's claims to accept taken "precautionary action" afterwards the October attack, or calmly bankrupt aback in. 

This isn't Henry Schein's aboriginal altercation with what looks like anemic aegis practices. In 2016, the aggregation had to pay a division of a actor dollars to the US FTC to achieve claims it addled barter about its abstracts encryption capabilities and acknowledgment of chump medical records. ®