Security in brief The saga of 23andMe's mega data breach has reached something of a conclusion, with the company saying its probe has determined millions of leaked records originated from illicit break-ins into just 14,000 accounts.
In an update on Tuesday to a blog post sharing details of the attack, 23andMe said the breach, first reported in October, was enabled via credential stuffing, through which an attacker uses username and password combinations from other breaches to try breaking into unrelated accounts.
In other words, those hit were guilty of the cardinal sin of password reuse and not enabling multifactor authentication.
Data swiped in the breach included names, ancestry information, self-reported location, birth year, links to family trees, and anything that may have been included in self-descriptions added to user profiles.
An additional 1.4 million sets of Family Tree data was stolen as well, 23andMe said, which includes similar information as well as relationships to the individuals whose accounts were compromised.
In response, 23andMe seems very concerned at the potential legal ramifications of the breach, and has updated its terms of service in what appears to be an attempt to avoid a wave of lawsuits.
With it being the end of the year, there's less to report, so lots of critical vulnerabilities that we'd normally include here have been covered already.
As usual there's plenty of ICS advisories to report, though only a couple merit mention as critical threats.
Sheriff's deputies in Yolo County, northwest of the city of Sacramento and north of San Francisco Bay and Silicon Valley, pulled a vehicle over for expired tags recently, and spotted laptops in the vehicle branded with the aforementioned - but unnamed - tech company on them, leading to further investigation.
It's unclear if the laptops were tampered with to extract information, or if the miscreants were simply looking for hardware to flip for a quick profit.
Ransomware gang shakes down staffers... individually.
Health care products and services firm Henry Schein has been reeling since an October cyber attack allegedly perpetrated by the notorious AlphaV/BlackCat ransomware gang, and it's now sending letters to employees whose data - lots of it - has allegedly been stolen as a result of the hit.
Letters are reportedly going out to some 29,112 Henry Schein employees past and present indicating that their names, DoBs, demographics, various forms of government-issued ID, financial information, employment details, photographs and more have been purloined by cybercriminals.
To make matters worse, talks between HS and AlphaV allegedly broke down last month, causing AlphaV to re-encrypt the company's systems and knock applications offline again [PDF].
This isn't Henry Schein's first run-in with what looks like weak security practices.
In 2016, the company had to pay a quarter of a million dollars to the US FTC to settle claims it misled customers about its data encryption capabilities and exposure of customer medical records.
This Cyber News was published on go.theregister.com. Publication date: Mon, 11 Dec 2023 12:13:05 +0000