Hundreds dead, thousands wounded—Hamas’ surprise attack on Israel shows the limits of even the most advanced and invasive surveillance dragnets as full-scale war erupts.

The Gaza Strip is one of the most densely populated areas on the planet. It’s also one of the most heavily locked down, surveilled, and suppressed. Israel has evolved an entire intelligence apparatus and aggressive digital espionage industry around advancing its geopolitical interests, particularly its interminable conflict in the Gaza Strip and the West Bank. Yet on Saturday, Hamas militants caught Israel unaware with a series of devastating land, air, and sea attacks, killing hundreds of people and leaving thousands wounded. Israel has now declared war.

Hamas’ surprise attack on Saturday is shocking given not only its scale compared to previous attacks, but also the fact that it was planned and carried out without Israel’s knowledge. Hamas’ deadly barrage underscores the limitations of even the most intrusive surveillance dragnets. In fact, experts say the sheer quantity of intelligence that Israel collects on Hamas, as well as the group’s constant activity and organizing, may have played a role in obscuring plans for this particular attack amid the endless barrage of potentially credible threats.

“There's no doubt that the scale and scope of this Hamas attack indicate just a colossal intelligence failure on behalf of the IDF \[Israel Defense Forces\] and in Shin Bet, the internal security agency,” says Raphael Marcus, a visiting research fellow at King’s College London’s Department of War Studies who focuses on the region. “They have such technical prowess and also a legacy of excellent human source capability.”

Israel is known for heavily monitoring Gaza and anyone who could be connected to Hamas using both traditional intelligence-gathering techniques and digital surveillance like facial recognition and spyware. Israel has proved its hacking skills and technical sophistication on the global stage for years, participating in the development of innovative malware for both digital espionage and cyber-physical attacks. The fact that Hamas was able to plan such an unprecedented and complex attack speaks to the limitations and inevitable blind spots of even the most comprehensive surveillance regime.

Jake Williams, a former US National Security Agency hacker and current faculty member at the Institute for Applied Network Security, emphasizes that when you have a firehose of intelligence streaming in from an array of sources, and when the climate is as fraught as that between Israel and Palestine, the challenge is organizing and parsing the information, not gathering it.

“Intelligence in an environment like Israel isn't finding a needle in a haystack—it's finding the needle that will hurt you in a pile of needles,” Williams says. “Given the number of Hamas members involved in the invasion, it's not plausible to me that Israel missed every human intelligence reflection of the planning. But I feel confident that there are always Hamas operatives talking about credible plans to attack the IDF. So Israel can't respond with force to every threat, even every credible one. They'd be at a heightened state of alert or actively engaged all the time, and that's probably actually worse for security.”

Though details of exactly how the attack happened are still emerging, it seems that oversights related to grappling with this signal-and-noise conundrum played a role.

“In retrospect, there was some information, but, like happens in all intelligence failures, it wasn't given sufficient consideration. It was misunderstood,” says Chuck Freilich, a former Israeli deputy national security adviser. “I think in the last days, from my understanding, there were some warning signs. And actually, the intelligence establishment had been warning for the past about half-year that there was going to be a significant conflict with Hamas, that they were bent on escalating the situation. But then they misread the signs.”

Colin Clarke, the director of research at the Soufan Group, an intelligence and security consultancy, says the Hamas attack would have “required months of preparation” and intelligence failures likely happened with both human intelligence and signals intelligence, where electronic and communications data is collected. “I’m still astonished that a breakdown in intelligence occurred at this level,” Clarke says. “I don’t think anybody, including the Israelis, were prepared for an operation this complex and multi-pronged.”

Crucial intelligence oversights could have happened as the result of numerous intersecting failures, says King’s College London’s Marcus. The Israeli intelligence apparatus may have misunderstood Hamas’s intentions, misread the context of crucial leads, been distracted by Israel’s political efforts with Saudi Arabia, or been grappling with domestic challenges. Israeli forces have complained, for example, of a brain drain from the IDF as individuals get pulled toward the private sector.

“I think that this wasn't just a military failure—I think that this was a dramatic failure of national leadership,” says Freilich, who authored _Israel and the Cyber Threat: How the Startup Nation Became a Global Cyber Power_. The ambush calls to mind the outbreak of fighting during Ramadan in October 1973 in which an Arab bloc targeted Israel with a surprise attack on the Jewish holy day Yom Kippur to set off nearly 20 days of fighting.

Palestinians in occupied territories, including the West Bank and Gaza Strip, have faced surveillance and controls for years, with many calling the conditions an apartheid. In September 2021, Israeli forces announced the completion of a 40-mile-long barrier around the Gaza Strip—the sliver of land between Israel, Egypt, and the Mediterranean Sea—that is essentially a “smart wall” equipped with radar, cameras, underground sensors, and an array of other surveillance instruments.

“Palestinians are subjected to multi-layered surveillance,” says Mona Shtaya, a non-resident fellow at the Tahrir Institute for Middle East Policy. “Various surveillance technologies are employed against Palestinians, including drones, mobile bugs (spyware) that have previously been uncovered as being injected into electronic devices prior to entry into the Gaza Strip.”

Shtaya adds that CCTV cameras are placed at entrances to the Gaza Strip, and that there is “continuous” online surveillance of people in the occupied areas. “It would not be an exaggeration to say that Palestinians are under surveillance in nearly every facet of their lives,” she says.

Such persistent surveillance can make people change their behaviors and limits freedom of expression and speech. “We can observe this phenomenon when people communicate with their families over phone calls or when they post content online, as they may alter certain keywords,” Shtaya says.

As Hamas attacked Israel on Saturday, videos emerged of a brute force approach: a bulldozer breaking through portions of the fence as hundreds of militants stormed into Israel using motorbikes, boats, and apparently paragliders. _Haaretz_ reported on Sunday that Hamas was able to gain so much ground because of IDF logistics issues in addition to intelligence failings.

While Israel’s technology industry has helped create many surveillance capabilities and pushed the global industry forward, Hamas, which is sanctioned as a terrorist organization in the US, also uses some digital tools in its operations. The group has leaned heavily on distributing its propaganda through radio and TV to legitimize its rule in Gaza, while it utilizes social media to a lesser extent, according to a review by the Center for Strategic and International Studies earlier this year. Still, Hamas has used fake Facebook accounts to lure Israeli soldiers into downloading data-stealing apps, and has distributed fake dating apps that are really spyware. In 2019, Israeli forces bombed a building they claimed housed a Hamas hacking group.

Multiple sources tell WIRED that they suspect Iran was involved in helping Hamas carry out its assault on Saturday, given the sophistication and intricacy of the attack. Iran has long-standing ties to Hamas, and its officials have praised the recent attacks.

As the conflict ramps up into full-scale war, there is significant concern about the number of civilians impacted, with Amnesty International saying it is “deeply alarmed” by the civilian deaths in Israel, Gaza, and the West Bank. The Hamas assault has killed at least 700 and injured more than 2,000 Israelis on Saturday, according to the latest available figures. Video footage and reports shared online depict Hamas gunmen killing civilians, leaving bloody bodies scattered through the streets, and taking dozens of hostages. In response, Israel is launching large-scale airstrikes against Hamas targets in Gaza, while working to retake militant-controlled areas and preparing for offensive actions, including a possible ground invasion of Gaza. At least 370 Palestinians in Gaza have been killed and more than 2,000 wounded so far.

Israel Defense Forces say women and children have been taken hostage. Israel has also cut power to Gaza and internet monitoring firms say there has been a decrease in connectivity. As the fog of surveillance gives way to the fog of war, the current situation in Israel serves as an important illustration that unrelenting surveillance does not equate to or guarantee security.

_Additional reporting by_ _Morgan Meaker_

Israel's Failure to Stop the Hamas Attack Shows the Danger of Too Much Surveillance

Plus: Sony confirms a breach of its networks, US federal agents get caught illegally using phone location data, and more.

Does the public have a right to see gruesome photos of animal test subjects taken by a public university?

That question underpins an ongoing court battle between UC Davis and the Physicians Committee for Responsible Medicine, an animal welfare group, which is fighting for the release of photos of dead monkeys used in tests of Elon Musk–owned Neuralink’s brain-chip implants. A WIRED investigation this week revealed the extent to which Neuralink and UC Davis have gone to keep images of the tests secret.

Also this week, an investigation by the Markup, copublished with WIRED, analyzed crime predictions by Geolitica (formerly PredPol) in Plainfield, New Jersey, and found that they accurately predicted crime less than 1 percent of the time. As WIRED previously reported, Geolitica is shutting down at the end of this year and being sold for parts to SoundThinking, maker of the gunshot-detection system ShotSpotter.

Earlier this year, the data-extortion gang Clop exploited a vulnerability in the widely used file-transfer service MOVEit, racking up victims around the globe including major corporations and US government agencies. The full number of victim organizations continues to climb into the thousands, with more than 3.4 million people’s data potentially stolen, making it the biggest hack of 2023.

If you own an inexpensive Android TV streaming box, you may want to toss it into the sea—or recycle it responsibly. New research found that at least eight cheap streaming boxes contained a backdoor that connects the devices with servers in China and is used to commit fraud and other cybercrime. Researchers also found dozens of Android, iOS, and TV box apps that were used for fraudulent behavior. While at least some of the apps have been removed from the app stores, more than 120,000 Android devices and 150,000 iOS devices were impacted.

Speaking of phone security, we detailed how to know when your device will stop getting security updates and how to keep Google from using your data in its generative AI tool, Bard. Finally, we profiled the team at a UK-based nonprofit that’s helping women fight back against digital domestic violence.

That’s not all. Each week we round up the security and privacy news that we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

When WIRED first reported that Apple had sent a letter responding to demands from an anti-child-exploitation group called Heat Initiative, we had one big question: What the hell is Heat Initiative? An investigation by the Intercept now provides some clues.

According to the Intercept, the group is funded by “dark-money donors” linked to billionaire Democrats. Sarah Gardner, who leads the group, refused to comment on Heat Initiative’s funding and said she disagrees with Apple’s “privacy-absolutist” approach. The group, which had virtually no online presence when Apple sent that letter, is now waging a high-profile campaign to force the company to do more to scan for child sexual abuse material (CSAM) on users’ devices and iCloud storage, which would likely mean weakening encryption.

After Apple scrapped plans to scan images on users’ devices for CSAM amid widespread backlash, the company focused instead on tools known as Community Safety features for reporting CSAM. It also rolled out encrypted iCloud options. The company says it cannot meet Heat Initiative demands without compromising user privacy and security.

Sony Interactive Entertainment confirmed this week that it is the latest victim of the aforementioned MOVEit breach. The company says it has informed some 6,800 people, including past and current employees, about the breach, which may have exposed Social Security numbers and personal information. Data-extortion gang Clop has claimed responsibility for the breach, which Sony says it detected on June 2. Sony says it is working with cybersecurity experts and law enforcement as part of its investigation into the intrusion.

Agents working for the US Customs and Border Protection, Immigration and Customs Enforcement, and the US Secret Service broke the law by purchasing commercially available phone location data, according to a new report from the US Department of Homeland Security’s inspector general. Privacy and civil liberty advocates have long argued that the purchase of such data, known in the US government as commercial telemetry data (CTD), circumvents Fourth Amendment protections against unreasonable searches and seizures because agents don’t need to obtain a warrant to buy the information. But the inspector general report says the data was illegally accessed because agents failed to conduct a mandated privacy impact assessment before buying CTD.

The US Department of Justice this week unsealed indictments against eight Chinese firms and 12 of their employees, accusing them of producing and distributing chemicals needed for the production of fentanyl, a deadly opioid, in the United States. The employees and companies were also sanctioned by the US Treasury Department, cutting them off from US financial institutions. According to the DOJ, the companies “tend to use cryptocurrency transactions to conceal their identities and the location and movement of their funds.”

“We have identified and blocked over a dozen virtual currency wallets associated with these actors,” Treasury deputy secretary Wally Adeyemo said during a press conference on October 3. “The blocked wallets, which received millions of USD funds over hundreds of deposits, illustrate the scope and scale of the operation targeted today.”

Apple's Encryption Is Under Attack by a Mysterious Group

By Owais Sultan
SEO vs. PPC – Understanding the Difference and Choosing the Right Strategy for Your Business – Let’s delve…
This is a post from HackRead.com Read the original post: SEO vs. PPC: Choosing the Right Strategy for Your Business

SEO vs. PPC – Understanding the Difference and Choosing the Right Strategy for Your Business – Let’s delve into it.

Visibility is everything for online businesses nowadays – if you want visitors on your website, you’ll need some sort of exposure that will redirect users to your URL. The two most popular methods of this is through Search Engine Optimization, also known as SEO, or Pay-Per-Click (PPC) advertising. Both have their advantages, but which one is right for your business?

****What is SEO?****

Search Engine Optimization, or SEO, is a collection of techniques – some might even call it art – related to improving the visibility of your website in organic (i.e., non-paid) search engine results. This can be achieved by optimizing various website areas, primarily including its content, structure, and backlinks.

A website that is well-optimized will be able to attract a steady stream of traffic over time much easier. Since SEO relies purely on organic search results, users often trust these results more than paid ads, potentially increasing conversion rates and improving brand image when compared to other methods of online advertising.

SEO costs are usually lower than those of PPC campaigns, but it requires a holistic approach to be effective, typically restructuring entire websites and dramatically changing content, which might take some time to fully deploy.

****What is PPC?****

PPC is short for Pay-Per-Click advertising and involves placing ads on platforms like Google Ads or Meta Ads, where businesses can pay for their ad to be displayed and pay a set fee each time it is clicked. This method offers brands immediate visibility and can drive traffic to specific landing pages easily. Most platforms also offer handy tools for precise targeting of your ads, based on keywords, demographics, location, audience interests, and more. 

Looking for professional PPC services in London? Don’t leave your online visibility to amateurs – go with an experienced digital agency like Nautilus Marketing, which provides measurable performance indicators to track the effectiveness of PPC campaigns and implements optimal changes when necessary.

****PPC vs. SEO Strategies****

SEO can be more cost-effective in the long run, building trust and credibility in addition to just traffic. The results it provides are long-lasting and can significantly influence brand visibility. These results, however, are not immediate – SEO requires patience, and changes might take time to show up in measurable indicators. What’s more, search engine algorithms are constantly evolving, which can affect ranking and needs constant attention and monitoring.

PPC campaigns, on the other hand, give immediate results and traffic that is easily trackable. The specific ads can be easily targeted to your desired audience, and the budget can be adjusted dynamically according to your needs.

However, PPC campaigns can be expensive, especially in competitive niches, and the costs may increase based on targeting settings. It requires a constant budget that must be maintained, or the ads will immediately disappear, cutting visibility. Users might also be wary of paid advertisements, discouraging conversions.

In the end, which strategy is better depends on your specific needs, niche, and business model. SEO and PPC have their place in a comprehensive digital marketing strategy – a blend of both might often be the most effective approach.

****_RELATED ARTICLES_****

1.  How SASE Supports Digital Transformation
2.  The Most In-Demand Freelance Skills for 2023
3.  Understanding the E-Commerce Marketplaces in Europe
4.  cheqd’s Recent Rollout Focuses on Monetizing Digital Identity
5.  Key Considerations When Transferring Your Digital Workspace

SEO vs. PPC: Choosing the Right Strategy for Your Business

Directory Traversal vulnerability in Hex-Dragon Plain Craft Launcher 2 version Alpha 1.3.9, allows local attackers to execute arbitrary code and gain sensitive information.

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

CVE-2023-36123: GitHub - 9Bakabaka/CVE-2023-36123: The PoC of CVE-2023-36123

An issue in NETIS SYSTEMS N3Mv2 v.1.0.1.865 allows a remote attacker to cause a denial of service via the authorization component in the HTTP request.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-44860: CVE/netis_N3/Improper Authentication Mechanism Leading to Denial-of-Service (DoS).md at main · adhikara13/CVE

File Upload vulnerability in Simple and Nice Shopping Cart Script v.1.0 allows a remote attacker to execute arbitrary code via the upload function in the edit profile component.

CVE-2023-44061: CVE-2023-44061/poc.md at main · soundarkutty/CVE-2023-44061

** DISPUTED ** libxml2 through 2.11.5 has a use-after-free that can only occur after a certain memory allocation fails. This occurs in xmlUnlinkNode in tree.c. NOTE: the vendor's position is "I don't think these issues are critical enough to warrant a CVE ID ... because an attacker typically can't control when memory allocations fail."

Skip to content

GitLab 

**Memory error: heap-use-after-free in xmllint (xmlUnlinkNode)**

I am using the current commit 778cca38.

There is a heap-use-after-free error when I run xmllint on some input file and on some program options. I attach the xml input file here input.xml

To reproduce the error, run:

./libxml2/xmllint --copy --html --maxmem 315229 input.xml

The ASAN output is the following:

    ==12246==ERROR: AddressSanitizer: heap-use-after-free on address 0xffffa3052580 at pc 0xaaaacd087148 bp 0xffffc11cad10 sp 0xffffc11cad20
    WRITE of size 8 at 0xffffa3052580 thread T0
        #0 0xaaaacd087144 in xmlUnlinkNode (/demo/test/libxml2-23-8-23/libxml2/xmllint+0xc07144)
        #1 0xaaaacd06ceac in xmlFreeDoc (/demo/test/libxml2-23-8-23/libxml2/xmllint+0xbeceac)
        #2 0xaaaaccee01d8 in parseAndPrintFile (/demo/test/libxml2-23-8-23/libxml2/xmllint+0xa601d8)
        #3 0xaaaacceeed08 in main (/demo/test/libxml2-23-8-23/libxml2/xmllint+0xa6ed08)
        #4 0xffffa82a73f8 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
        #5 0xffffa82a74c8 in __libc_start_main_impl ../csu/libc-start.c:392
        #6 0xaaaaccecf7ec in _start (/demo/test/libxml2-23-8-23/libxml2/xmllint+0xa4f7ec)
    
    0xffffa3052580 is located 96 bytes inside of 160-byte region [0xffffa3052520,0xffffa30525c0)
    freed by thread T0 here:
        #0 0xffffa8c79fe8 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127
        #1 0xaaaacd141a3c in xmlMemFree (/demo/test/libxml2-23-8-23/libxml2/xmllint+0xcc1a3c)
        #2 0xaaaacced0d04 in myFreeFunc (/demo/test/libxml2-23-8-23/libxml2/xmllint+0xa50d04)
        #3 0xaaaacd0842e4 in xmlFreeNodeList (/demo/test/libxml2-23-8-23/libxml2/xmllint+0xc042e4)
        #4 0xaaaacd08db9c in xmlStaticCopyNodeList (/demo/test/libxml2-23-8-23/libxml2/xmllint+0xc0db9c)
        #5 0xaaaacd090238 in xmlCopyDoc (/demo/test/libxml2-23-8-23/libxml2/xmllint+0xc10238)
        #6 0xaaaaccedd330 in parseAndPrintFile (/demo/test/libxml2-23-8-23/libxml2/xmllint+0xa5d330)
        #7 0xaaaacceeed08 in main (/demo/test/libxml2-23-8-23/libxml2/xmllint+0xa6ed08)
        #8 0xffffa82a73f8 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
        #9 0xffffa82a74c8 in __libc_start_main_impl ../csu/libc-start.c:392
        #10 0xaaaaccecf7ec in _start (/demo/test/libxml2-23-8-23/libxml2/xmllint+0xa4f7ec)
    
    previously allocated by thread T0 here:
        #0 0xffffa8c7a2f4 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
        #1 0xaaaacd13fd0c in xmlMallocLoc (/demo/test/libxml2-23-8-23/libxml2/xmllint+0xcbfd0c)
        #2 0xaaaacd140b58 in xmlMemMalloc (/demo/test/libxml2-23-8-23/libxml2/xmllint+0xcc0b58)
        #3 0xaaaacced0d24 in myMallocFunc (/demo/test/libxml2-23-8-23/libxml2/xmllint+0xa50d24)
        #4 0xaaaacd08abf8 in xmlStaticCopyNode (/demo/test/libxml2-23-8-23/libxml2/xmllint+0xc0abf8)
        #5 0xaaaacd08d930 in xmlStaticCopyNodeList (/demo/test/libxml2-23-8-23/libxml2/xmllint+0xc0d930)
        #6 0xaaaacd090238 in xmlCopyDoc (/demo/test/libxml2-23-8-23/libxml2/xmllint+0xc10238)
        #7 0xaaaaccedd330 in parseAndPrintFile (/demo/test/libxml2-23-8-23/libxml2/xmllint+0xa5d330)
        #8 0xaaaacceeed08 in main (/demo/test/libxml2-23-8-23/libxml2/xmllint+0xa6ed08)
        #9 0xffffa82a73f8 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
        #10 0xffffa82a74c8 in __libc_start_main_impl ../csu/libc-start.c:392
        #11 0xaaaaccecf7ec in _start (/demo/test/libxml2-23-8-23/libxml2/xmllint+0xa4f7ec)
    
    SUMMARY: AddressSanitizer: heap-use-after-free (/demo/test/libxml2-23-8-23/libxml2/xmllint+0xc07144) in xmlUnlinkNode
    Shadow bytes around the buggy address:
      0x200ff460a460: fd fd fd fd fa fa fa fa fa fa fa fa fd fd fd fd
      0x200ff460a470: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x200ff460a480: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
      0x200ff460a490: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
      0x200ff460a4a0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
    =>0x200ff460a4b0:[fd]fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
      0x200ff460a4c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x200ff460a4d0: fd fd fd fd fa fa fa fa fa fa fa fa fd fd fd fd
      0x200ff460a4e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x200ff460a4f0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
      0x200ff460a500: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==12246==ABORTING

If any program option is removed, the issue does not trigger.

CVE-2023-45322: Memory error: heap-use-after-free in xmllint (xmlUnlinkNode) (#583) · Issues · GNOME / libxml2 · GitLab

At least a million data points from 23andMe accounts appear to have been exposed on BreachForums. While the scale of the campaign is unknown, 23andMe says it's working to verify the data.

The genetic testing company 23andMe confirmed on Friday that data from a subset of its users has been compromised. The company said its systems were not breached and that attackers gathered the data by guessing the login credentials of a group of users and then scraping more people’s information from a feature known as DNA Relatives. Users opt into sharing their information through DNA Relatives for others to see. 

Hackers posted an initial data sample on the platform BreachForums earlier this week, claiming that it contained 1 million data points exclusively about Ashkenazi Jews. There also seem to be hundreds of thousands of users of Chinese descent impacted by the leak. On Wednesday, the actor began selling what it claims are 23andMe profiles for between $1 and $10 per account, depending on the scale of the purchase. The data includes things like a display name, sex, birth year, and some details about genetic ancestry results, like that someone is, say, of “broadly European” or “broadly Arabian” descent. It may also include some more specific geographic ancestry information. The information does not appear to include actual, raw genetic data.

The company emphasized in a statement that it does not see evidence that its systems have been breached. It also encouraged users to use strong, unique passwords and enable two-factor authentication to keep attackers from compromising their individual accounts using login credentials exposed in other data breaches.

“We were made aware that certain 23andMe customer profile information was compiled through access to individual 23andMe.com accounts,” the company said in a statement. “We believe that the threat actor may have then, in violation of our terms of service, accessed 23andme.com accounts without authorization and obtained information from those accounts.” 

The company has not been clear on whether it has validated the data the threat actor leaked, noting that its investigation is ongoing and that it currently has “preliminary results.” A spokesperson for the company told WIRED that the leaked information is consistent with a situation in which some user accounts were exposed and then leveraged to scrape data visible in DNA Relatives. But when pressed on the details of whether the data has been validated, the spokesperson said that verifying the data is pending and that the company cannot currently confirm whether the leaked information is real.

This point is significant both for everyone whose information may have been compromised and because the data posted by the actor claims to include “celebrities.” Entries for technologists Mark Zuckerberg, Elon Musk, and Sergey Brin are all visible in the sample data, including “Profile ID,” “Account ID,” name, sex, birth year, current location, and fields known as “ydna” and “ndna.” It is unclear if the data for these entries is legitimate or was inserted. For example, Musk and Brin appear to have the same profile and account IDs in the leak.

The technique of using credentials exposed in other data breaches to infiltrate accounts where those logins have been reused is known as “credential stuffing” and is a widely used account compromise technique.

“Credential stuffing never really went away and a lot of it just comes down to the fact that humans reuse their passwords—that's what makes it possible,” says Ronnie Tokazowski, a longtime digital scams researcher. “And the fact that it's claiming to target a Jewish population or celebrities—it’s not shocking. It reflects the underbelly of the internet.”

The full picture of why the data was stolen, how much more the attackers have, and whether it is actually focused entirely on Ashkenazim is still unclear.

“When data is shared relating to ethic, national, political or other groups, sometimes it's because those groups have been specifically targeted, but sometimes it's because the person sharing the data thinks it'll make reputation-boosting headlines,” says Brett Callow, a threat analyst at security firm Emsisoft. 

Callow notes that the situation raises broader questions about keeping sensitive genetic information safe and the risks of making it available in services that are designed like social networks to facilitate sharing. With such platforms come all of the data privacy and security issues that have plagued traditional social networks, including issues related to data centralization and scraping.

“This incident really highlights the risks associated with DNA databases,” Callow says. “The fact that accounts had reportedly opted into the ‘DNA Relatives’ feature is particularly concerning as it could potentially result in extremely sensitive information becoming public.”

_Update 7:00 pm ET, October 6 to note that data from hundreds of thousands of 23andMe users of Chinese descent seems to have also been exposed in the incident._

23andMe User Data Stolen in Targeted Attack on Ashkenazi Jews

Cross-site Scripting (XSS) - Stored in GitHub repository snipe/snipe-it prior to v6.2.2.

**Cross-site Scripting in snipe/snipe-it**

Moderate severity GitHub Reviewed Published Oct 6, 2023 to the GitHub Advisory Database • Updated Oct 9, 2023

GHSA-rr5c-69c9-gj9f: Cross-site Scripting in snipe/snipe-it

fsevents before 1.2.11 depends on the https://fsevents-binaries.s3-us-west-2.amazonaws.com URL, which might allow an adversary to execute arbitrary code if any JavaScript project (that depends on fsevents) distributes code that was obtained from that URL at a time when it was controlled by an adversary.

**Code injection in fsevents**

Moderate severity GitHub Reviewed Published Oct 6, 2023 to the GitHub Advisory Database • Updated Oct 9, 2023

Tag

#git