Cyber Security Today, Jan. 5, 2023 – 23andMe blames poor user password practices for a data breach

23andMe blames poor user password practices for a data breach.

Welcome to Cyber Security Today. It’s Friday, January 5th, 2024. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.

Who’s at fault for the recent huge data breach at the genetic testing service 23andMe? Users and their poor password practices, says the company. That’s according to a news story on TechCrunch.  The company is writing people that some customers “negligently recycled and failed to update their passwords,” which led to the data breach. The company denies the attack was the result of 23andMe failing to maintain reasonable security measures. According to the news story, before the data theft the use of multifactor authentication for login protection was optional. Now it’s mandatory. Hackers were able to access the accounts of about 14,000 people by brute-forcing logins with a list of stolen usernames and passwords from other sites. Those accounts held personal information of linked relatives, so the total number of victims added up to 6.9 million people.

In a commentary Ken Westin, field CISO of Panther Labs said blaming victims for a data breach isn’t fair. On the other hand, other IT experts say subscribers to any service have to take some responsibility for their password practices.

Users of the LastPass password manager can’t get away with short master passwords any more. According to Bleeping Computer, the company says subscribers now have to create master passwords of at last 12 characters. Since April that’s been the rule for new users or those resetting their passwords. But older accounts were still able to use short master passwords. As many people say, the longer the better.

Russian hackers were inside the biggest Ukrainian telecom provider for at least seven months before knocking it offline last month. That’s what the head of Ukraine’s cybersecurity agency has told the Reuters news agency. Service to about 24 million users was chopped for days when the attack wiped thousands of the telco’s virtual servers. The official said the incident is a warning to countries around the world that “no one is actually untouchable.”

Canadian mining company Barrick Gold has become the latest business to tell people their data was stolen in the hack of a MOVEit file transfer server. The company notified the Maine Attorney General’s office this week that it is sending letters to over 2,700 victims. It isn’t clear if these are only Americans. Barrick spokespersons didn’t reply to an emailed query for clarification. So far over 2,726 organizations have been victimized directly or indirectly of the hack of MOVEit file transfer systems, resulting in the exposure of data of over 93 million people.

Xerox says some personal information held by its Business Solutions subsidiary was stolen in a recent cyber attack. The incident had no impact on Xerox’s corporate systems, operations or data, the company says.

Finally, Google is expected to soon start publicly testing a version of its web browser that by default deletes third-party cookies. The goal is to improve privacy. According to The Register, an estimated 30 million Chrome users – representing roughly one percent of the user base – will be involved in the test. In the second half of this year a broader phase out of third-party cookies is expected. Chrome users have been able to opt-in to a program of dropping third-party cookies for several months.

Note that because of the holidays there won’t be a Week in Review podcast this afternoon. The show resumes next Friday.

Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.