Cyber Security News & Tips by Glenda R. Snodgrass for The Net Effect
[ View this email in your web browser ] [ Visit our archives ] [ Sign Up for this Newsletter ]

October 10, 2023

Good morning, everyone!

This week’s critical vulnerabilities:
  • Apple has released iOS 17.0.3 and iPadOS 17.0.3 to fix two critical vulnerabilities, one under active exploit
  • Atlassian has released a patch to fix a critical flaw in its Confluence Server and Data Server
Of Note: CISA and NSA have released a joint advisory "Most Common Network Misconfigurations" -- worth a read.

Patch All the Things!

Breaking down the 23andMe incident

This past weekend I read this article: Genetics firm 23andMe says user data stolen in credential stuffing attack and I saw soooo many lessons here. Let's step through 3 of them:

A 23andMe spokesperson confirmed the data is legitimate and told BleepingComputer that the threat actors used exposed credentials from other breaches to access 23andMe accounts and steal the sensitive data....The information that has been exposed from this incident includes full names, usernames, profile photos, sex, date of birth, genetic ancestry results, and geographical location.

This is bad. Really bad. How did it happen? What is a "credential stuffing attack?"

Credential stuffing is a type of cyberattack in which the attacker collects stolen account credentials, typically consisting of lists of usernames or email addresses and the corresponding passwords (often from a data breach), and then uses the credentials to gain unauthorized access to user accounts on other systems

First lesson: (a) Don't re-use passwords across different websites! Especially not on websites with important and/or particularly sensitive information like this. Passwords should be long, strong and unique. Try not to re-use even part of a password, as it makes that partially-new password easier to crack than a brand-new one. (b) Monitor your data that shows up on the dark web (the Internet black market). There are commercial services that will do this for you for a fee, but you can also sign up free of charge to to check if your email or other user name has shown up in a data breach, and get notifications if it shows up later.

The compromised accounts had opted into the platform's 'DNA Relatives' feature, which allows users to find genetic relatives and connect with them. The threat actor accessed a small number of 23andMe accounts and then scraped the data of their DNA Relative matches, which shows how opting into a feature can have unexpected privacy consequences.

Second lesson: Understand what you are doing! Before opting in to anything, it's important to understand what that means exactly, and what are the potential consequences. So as a 23andMe customer, your data could have been stolen even though your account wasn't actually compromised, if you had opted-in to share this data with others and their accounts were compromised. (Reminds me of the Facebook - Cambridge Analytica scandal a few years back: "Facebook allowed this app not only to collect personal information from survey respondents but also from respondents’ Facebook friends. In this way, Cambridge Analytica acquired data from millions of Facebook users.").

23andMe told BleepingComputer that the platform offers two-factor authentication as an additional account protection measure and encourages all users to enable it.

Third lesson: Enable 2FA anywhere and everywhere it is available! That is the single most important thing you can do to protect your online accounts.

October is Cyber Security Awareness Month

And CISA has developed some resources to raise awareness and assist in employee training. You will probably recognize their "Four Easy Ways to Stay Safe Online" -- read and share.

Stay cyber safe this week!

Remember, you can read past editions of this newsletter on our website, along with tons more information under the Resources tab.

Have a great week!

Glenda R. Snodgrass

Glenda R. Snodgrass
(251) 433-0196 x107
For information security news & tips, follow me!

Security Awareness Training Available Here, There, Everywhere!

Thanks to COVID-19, lots of things went virtual, including my employee Security Awareness Training. Live training made a comeback a few months ago, but many organizations are retreating. No worries. Wherever you and your employees may be, I can deliver an interesting and informative training session in whatever format you prefer.

Contact me to schedule your employee training sessions. They're fun! ☺

TNE. Cybersecurity. Possible.

Speak with an Expert


The Net Effect, L.L.C.
Post Office Box 885
Mobile, Alabama 36601-0885 (US)
phone: (251) 433-0196
fax: (251) 433-5371
email: sales at theneteffect dot com
Secure Payment Center

The Net Effect, LLC

Copyright 1996-2024 The Net Effect, L.L.C. All rights reserved. Read our privacy policy