Skip links

23andMe responds to breach with new suit-limiting user terms

Security in brief The saga of 23andMe’s mega data breach has reached something of a conclusion, with the company saying its probe has determined millions of leaked records originated from illicit break-ins into just 14,000 accounts.

In an update on Tuesday to a blog post sharing details of the attack, 23andMe said the breach, first reported in October, was enabled via credential stuffing, through which an attacker uses username and password combinations from other breaches to try breaking into unrelated accounts.

In other words, those hit were guilty of the cardinal sin of password reuse and not enabling multifactor authentication.

Data stolen, we’re told, has been confirmed to come from “DNA relatives” profiles that indicate how folks may be related, of which 5.5 million sets of data were stolen. Data swiped in the breach included names, ancestry information, self-reported location, birth year, links to family trees, and anything that may have been included in self-descriptions added to user profiles. 

An additional 1.4 million sets of Family Tree data was stolen as well, 23andMe said, which includes similar information as well as relationships to the individuals whose accounts were compromised. 

In response, 23andMe seems very concerned at the potential legal ramifications of the breach, and has updated its terms of service in what appears to be an attempt to avoid a wave of lawsuits.

A side-by-side comparison of 23andMe’s new terms of service, dated November 30, and its previous version from October 4 (prior to the breach), teased out a new dispute resolution period of 60 days during which aggrieved customers agree to “first attempt to negotiate any dispute informally … before either party initiates any arbitration or court proceeding.” 

Per Axios, 23andMe’s terms also include a provision that means customers automatically accept changes to the terms and conditions unless they formally decline (email link) the terms in an email within 30 days of being notified of the changes. 

Critical vulnerabilities of the week

With it being the end of the year, there’s less to report, so lots of critical vulnerabilities that we’d normally include here have been covered already. 

As usual, however, there’s plenty of ICS advisories to report, though only a couple merit mention as critical threats. 

  • CVSS 9.8 – CVE-2023-3346: A classic buffer overflow vulnerability in “all versions of Mitsubishi Electric CNC series devices” can cause DoS and allow RCE.
  • CVSS 8.1 – Multiple CVEs: Sierra Wireless AirLink routers with ALEOS firmware versions prior to 4.9.9 and 4.17.0 contain several vulnerabilities that can lead to credential theft, DoS, RCE, and total takeover.

Hundreds of laptops stolen

A routine traffic stop in California’s Yolo County has led to five arrests and the recovery of a cache of laptops stolen from “a well-known Bay Area tech company.” 

Sheriff’s deputies in Yolo County, northwest of the city of Sacramento and north of San Francisco Bay and Silicon Valley, pulled a vehicle over for expired tags recently, and spotted laptops in the vehicle branded with the aforementioned – but unnamed – tech company on them, leading to further investigation. 

“After weeks of thorough probing, detectives unraveled a sophisticated retail theft ring involving multiple individuals,” the sheriff’s department said in a Facebook post Monday. “Executing search warrants across Woodland [a city in Yolo County] led to the apprehension of five suspects and the recovery of 114 stolen laptop computers.” 

It’s unclear if the laptops were tampered with to extract information, or if the miscreants were simply looking for hardware to flip for a quick profit. 

Ransomware gang shakes down staffers… individually

Health care products and services firm Henry Schein has been reeling since an October cyber attack allegedly perpetrated by the notorious AlphaV/BlackCat ransomware gang, and it’s now sending letters to employees whose data – lots of it – has allegedly been stolen as a result of the hit. 

Letters are reportedly going out to some 29,112 Henry Schein employees past and present indicating that their names, DoBs, demographics, various forms of government-issued ID, financial information, employment details, photographs and more have been purloined by cybercriminals.

To make matters worse, talks between HS and AlphaV allegedly broke down last month, causing AlphaV to re-encrypt the company’s systems and knock applications offline again [PDF]. It looks like AlphaV either never lost access despite HS’s claims to have taken “precautionary action” after the October attack, or easily broke back in. 

This isn’t Henry Schein’s first run-in with what looks like weak security practices. In 2016, the company had to pay a quarter of a million dollars to the US FTC to settle claims it misled customers about its data encryption capabilities and exposure of customer medical records. ®