Select Page
23andMe Blames Users for Recent Data Breach as It’s Hit With Dozens of Lawsuits

23andMe Blames Users for Recent Data Breach as It’s Hit With Dozens of Lawsuits

It’s been nearly two years since Russia’s invasion of Ukraine, and as the grim milestone looms and winter drags on, the two nations are locked in a grueling standoff. In order to “break military parity” with Russia, Ukraine’s top general says that Kyiv needs an inspired military innovation that equals the magnitude of inventing gunpowder to decide the conflict in the process of advancing modern warfare.

If you made some New Year’s resolutions related to digital security (it’s not too late!), check out our rundown of the most significant software updates to install right now, including fixes from Google for nearly 100 Android bugs. It’s close to impossible to be completely anonymous online, but there are steps you can take to dramatically enhance your digital privacy. And if you’ve been considering turning on Apple’s extra-secure Lockdown Mode, it’s not as hard to enable or as onerous to use as you might think.

If you’re just not quite ready to say goodbye to 2023, take a look back at WIRED’s highlights (or lowlights) of the most dangerous people on the internet last year and the worst hacks that upended digital security.

But wait, there’s more! Each week, we round up the security and privacy news we didn’t break or cover in depth ourselves. Click the headlines to read the full stories, and stay safe out there.

23andMe said at the beginning of October that attackers had infiltrated some of its users’ accounts and abused this access to scrape personal data from a larger subset of users through the company’s opt-in social sharing service known as DNA Relatives. By December, the company disclosed that the number of compromised accounts was roughly 14,000 and admitted that personal data from 6.9 million DNA Relatives users had been impacted. Now, facing more than 30 lawsuits over the breach—even after tweaking its terms of service to make legal claims against the company more difficult—the company said in a letter to some individuals that “users negligently recycled and failed to update their passwords following … past security incidents, which are unrelated to 23andMe.” This references 23andMe’s long-standing assessment that attackers compromised the 14,000 user accounts through “credential stuffing,” the process of accessing accounts using usernames and passwords compromised in other data breaches from other services that people have reused on multiple digital accounts. “Therefore, the incident was not a result of 23andMe’s alleged failure to maintain reasonable security measures,” the company wrote in the letter.

“Rather than acknowledge its role in this data security disaster, 23andMe has apparently decided to leave its customers out to dry while downplaying the seriousness of these events,” Hassan Zavareei, one of the lawyers representing victims who received the letter, told TechCrunch. “23andMe knew or should have known that many consumers use recycled passwords and thus that 23andMe should have implemented some of the many safeguards available to protect against credential stuffing—especially considering that 23andMe stores personal identifying information, health information, and genetic information on its platform.”

Russia’s war—and cyberwar—in Ukraine has for years produced novel hybrids of hacking and physical attacks. Here’s another: Ukrainian officials this week said that they had blocked multiple Ukrainian civilians’ security cameras that had been hacked by the Russian military and used to target recent missile strikes on the capital of Kyiv. Ukraine’s SBU security service says the Russian hackers went so far as to redirect the cameras and stream their footage to YouTube. According to the SBU, that footage then likely aided Russia’s targeting in its bombardment on Tuesday of Kyiv, as well as the Eastern Ukrainian city of Kharkiv, with more than a hundred drones and missiles that killed five Ukrainians and injured well over a hundred. In total, since the start of Russia’s full-scale invasion of Ukraine in February 2022, the SBU says it’s blocked about 10,000 security cameras to prevent them from being hijacked by Russian forces.

Last month, a Russian cyberattack hit the telecom firm Kyivstar, crippling phone service for millions of people across Ukraine and silencing air raid warnings amid missile strikes in one of the most impactful hacking incidents since Russia’s full-scale invasion began. Now, Illia Vitiuk, the cyber chief of Ukraine’s SBU security service, tells Reuters that the hackers accessed Kyivstar’s network as early as March 2023 and laid in wait before they “completely destroyed the core” of the company in December, wiping thousands of its machines. Vitiuk added that the SBU believes the attack was carried out by Russia’s notorious Sandworm hacking group, responsible for most of the high-impact cyberattacks against Ukraine over the last decade, including the NotPetya worm that spread from Ukraine to the rest of the world to cause $10 billion in total damage. In fact, Vitiuk claims that Sandworm attempted to penetrate a Ukrainian telecom a year earlier but the attack was detected and foiled.

This week in creepy headlines: 404 Media’s Joseph Cox discovered that a Google contractor, Telus, has offered parents $50 to upload videos of their children’s faces, apparently for use as machine learning training data. According to a description of the project Telus posted online, the data collected from the videos would include eyelid shape and skin tone. In a statement to 404, Google said that the videos would be used in the company’s experiments in using video clips as age verification and that the videos would not be collected or stored by Telus but rather by Google—which doesn’t quite reduce the creep factor. “As part of our commitment to delivering age-appropriate experiences and to comply with laws and regulations around the world, we’re exploring ways to help our users verify their age,” Google told 404 in a statement. The experiment represents a slightly unnerving example of how companies like Google may not simply harvest data online to hone AI but may, in some cases, even directly pay users—or their parents—for it.

A decade ago, Wickr was on the short list of trusted software for secure communications. The app’s end-to-end encryption, simple interface, and self-destructive messages made it a go-to for hackers, journalists, drug dealers—and, unfortunately, traders in child sexual abuse materials—seeking surveillance-resistant conversations. But after Amazon acquired Wickr in 2021, it announced in early 2023 that it would be shutting down the service at the end of the year, and it appears to have held to that deadline. Luckily for privacy advocates, end-to-end encryption options have grown over the past decade, from iMessage and WhatsApp to Signal.

The Startup That Transformed the Hack-for-Hire Industry

The Startup That Transformed the Hack-for-Hire Industry

If you’re looking for a long read to while away your weekend, we’ve got you covered. First up, WIRED senior reporter Andy Greenberg reveals the wild story behind the three teenage hackers who created the Mirai botnet code that ultimately took down a huge swath of the internet in 2016. WIRED contributor Garrett Graff pulls from his new book on UFOs to lay out the proof that the 1947 “discovery” of aliens in Roswell, New Mexico, never really happened. And finally, we take a deep dive into the communities that are solving cold cases using face recognition and other AI.

That’s not all. Each week, we round up the security and privacy stories we didn’t report in depth ourselves. Click the headlines to read the full stories, and stay safe out there.

For years, mercenary hacker companies like NSO Group and Hacking Team have repeatedly been the subject of scandal for selling their digital intrusion and cyberespionage services to clients worldwide. Far less well-known is an Indian startup called Appin that, from its offices in New Delhi, reportedly enabled customers worldwide to hack whistleblowers, activists, corporate competitors, lawyers, and celebrities on a giant scale.

In a sprawling investigation, Reuters reporters spoke to dozens of former Appin staff and hundreds of its hacking victims. It also obtained thousands of its internal documents—including 17 pitch documents advertising its “cyber spying” and “cyber warfare” offerings—as well as case files from law enforcement investigations into Appin launched from the US to Switzerland. The resulting story reveals in new depth how a small Indian company “hacked the world,” as Reuters writes, brazenly selling its hacking abilities to the highest bidder through an online portal called My Commando. Its victims, as well as those of copycat hacking companies founded by its alumni, have included Russian oligarch Boris Berezovsky, Malaysian politician Mohamed Azmin Ali, targets of a Dominican digital tabloid, and a member of a Native American tribe who tried to claim profits from a Long Island, New York, casino development on his reservation.

The ransomware group known as Scattered Spider has distinguished itself this year as one of the most ruthless in the digital extortion industry, most recently inflicting roughly $100 million in damage to MGM Casinos. A damning new Reuters report—their cyber team has had a busy week— suggests that at least some members of that cybercriminal group are based in the West, within reach of US law enforcement. Yet they haven’t been arrested. Executives of cybersecurity companies who have tracked Scattered Spider say the FBI, where many cybersecurity-focused agents have been poached by the private sector, may lack the personnel needed to investigate. They also point to a reluctance on the part of victims to immediately cooperate in investigations, sometimes depriving law enforcement of valuable evidence.

Denmark’s critical infrastructure Computer Emergency Response Team, known as SektorCERT, warned in a report on Sunday that hackers had breached the networks of 22 Danish power utilities by exploiting a bug in their firewall appliances. The report, first revealed by Danish journalist Henrik Moltke, described the campaign as the biggest of its kind to ever target the Danish power grid. Some clues in the hackers’ infrastructure suggest that the group behind the intrusions was the notorious Sandworm, aka Unit 74455 of Russia’s GRU military intelligence agency, which has been responsible for the only three confirmed blackouts triggered by hackers in history, all in Ukraine. But in this case, the hackers were discovered and evicted from the target networks before they could cause any disruption to the utilities’ customers.

Last month, WIRED covered the efforts of a whitehat hacker startup called Unciphered to unlock valuable cryptocurrency wallets whose owners have forgotten their passwords—including one stash of $250 million in bitcoin stuck on an encrypted USB drive. Now, the same company has revealed that it found a flaw in a random number generator widely used in cryptocurrency wallets created prior to 2016 that leaves many of those wallets prone to theft, potentially adding up to $1 billion in vulnerable money. Unciphered found the flaw while attempting to unlock $600,000 worth of crypto locked in a client’s wallet. They failed to crack it but in the process discovered a flaw in a piece of open-source code called BitcoinJS that left a wide swath of other wallets potentially open to be hacked. The coder who built that flaw into BitcoinJS? None other than Stefan Thomas, the owner of that same $250 million in bitcoin locked on a thumb drive.

A Civil Rights Firestorm Erupts Around a Looming Surveillance Power Grab

A Civil Rights Firestorm Erupts Around a Looming Surveillance Power Grab

United States lawmakers are receiving a flood of warnings from across civil society not to be bend to the efforts by some members of Congress to derail a highly sought debate over the future of a powerful but polarizing US surveillance program.

House and Senate party leaders are preparing to unveil legislation on Wednesday directing the spending priorities of the US military and its $831 billion budget next year. Rumors, meanwhile, have been circulating on Capitol Hill about plans reportedly hatched by House speaker Mike Johnson to amend the bill in an effort to extend Section 702, a sweeping surveillance program drawing fire from a large contingent of Democratic and Republican lawmakers favoring privacy reforms.

WIRED first reported on the rumors on Monday, citing senior congressional aides familiar with ongoing negotiations over the bill, the National Defense Authorization Act (NDAA), separate versions of which were passed by the House and Senate this summer.

More than 80 civil rights and grassroots organizations—including Asian Americans Advancing Justice | AAJC, Color of Change, Muslims for Just Futures, Stop AAPI Hate, and United We Dream—signed a statement this morning opposing “any efforts” to extend the 702 program using the NDAA. The statement, expected to hit the inboxes of all 535 members of Congress this afternoon, says that failure to reform contentious aspects of the program, such as federal agents’ ability to access Americans’ communications without a warrant, poses an “alarming threat to civil rights,” and that any attempt to use must-pass legislation to extend the program would “sell out the communities that have been most often wrongfully targeted by these agencies and warrantless spying powers generally.”

“As you’re aware, this extremely controversial warrantless surveillance authority is set to expire at the end of the year, but will continue to operate as it does currently until April, as government officials have recognized for many years,” the groups say.

Johnson and Senate majority leader Chuck Schumer did not respond to WIRED’s request for comment. Leadership of the House and Senate armed services committees likewise did not respond.

Section 702 of the Foreign Intelligence Surveillance Act authorizes the US government, namely, the US National Security Agency, to surveil the communications of foreign citizens believed to be overseas. Oftentimes, these communications—texts, calls, emails, and other web traffic—“incidentally” involve Americans, whom the government is forbidden from directly targeting. But certain methods of interception, those that tap directly into the internet’s backbone, may make it impossible to fully disentangle foreign communications from domestic ones.

Senate Leaders Plan to Prolong NSA Surveillance Using a Must-Pass Bill

Senate Leaders Plan to Prolong NSA Surveillance Using a Must-Pass Bill

Leaders in the United States Senate have been discussing plans to extend Section 702 of the Foreign Intelligence Surveillance Act (FISA) beyond its December 31 deadline by amending must-pass legislation this month.

A senior congressional aide tells WIRED that leadership offices and judiciary sources have both disclosed that discussions are underway about saving the Section 702 program in the short term by attaching an amendment extending it to a bill that is sorely needed to extend federal funding and avert a government shutdown one week from now.

The program, last extended in 2018, is due to expire at the end of the year. Without a vote to reauthorize 702, the US government will lose its ability to obtain year-long “certifications” compelling telecommunications companies to wiretap overseas calls, text messages, and emails without being served individual warrants or subpoenas.

Whether the authority is reauthorized before expiring on January 1 or not, the actual surveillance is likely to continue into the spring, when this year’s certifications expire.

Extending the program by attaching it to another bill that Congress can’t avoid is a risky political maneuver that will cause significant unrest among a majority of House lawmakers and a number of senators who are working to reform the 702 program. A top priority for privacy hawks is curtailing the ability of federal law enforcement to use 702 data “incidentally” collected on Americans. The 702 program collects communications from two sources: internet service providers and the companies that conduct traffic between them. The latter source is tapped less frequently but intercepts a greater quantity of domestic communications.

An aide to Jim Jordan, the Republican chair of the House Judiciary Committee, said Jordan was firmly on the side of the reformers and would not support extending 702 through a temporary measure. Chuck Schumer, the senate majority leader, did not respond to a request for comment Thursday afternoon.

“America’s security and its citizens’ rights demand more than a short-term fix. Congress has had all year to scrutinize and address this crucial policy question,” says James Czerniawski, a senior policy analyst at the nonprofit Americans for Prosperity. “Doing a short-term extension punts the ball on the critical reforms desperately needed to this program to protect Americans civil liberties.”

While surveillance of US calls is illegal and unconstitutional without a warrant based on probable cause, the government is permitted to collect domestic calls for specific national security purposes under procedures created to minimize its access to them later. The US National Security Agency, which conducts electronic surveillance for the Pentagon, is only permitted to eavesdrop on foreigners who are overseas. Those foreigners, however, many of whom are likely government officials and not criminals or terrorists, frequently exchange calls and emails with people inside the United States, and those get collected as well.

Government Surveillance Reform Act of 2023 Seeks to End Warrantless Police and FBI Spying

Government Surveillance Reform Act of 2023 Seeks to End Warrantless Police and FBI Spying

In 1763, the radical journalist and colonial sympathizer John Wilkes published issue no. 45 of North Briton, a periodical of anonymous essays known for its virulent anti-Scottish drivel—and for viciously satirizing a British prime minister until he quit his job. The fallout from the subsequent plan of the British king, George III, to see Wilkes put in irons for the crime of being too good at lambasting his own government reverberates today, particularly in the nation whose founders once held Wilkes up as an idol, plotting a revolt of their own.

Wilkes’ arrest boiled the Americans’ blood. Reportedly, the politician-cum-fugitive had invited the king’s men into his home to read the warrant for his arrest aloud. He quickly tossed it aside. At trial, Wilkes explained its most insidious feature: “It named nobody,” he said, “in violation of the laws of my country.” This so-called general warrant, which subsequent lawsuits by Wilkes would see permanently banned, vaguely described some criminal allegations, but not a single place to be searched nor suspect to be arrested was named. This ambiguity granted the king’s men near blanket authority to arrest anyone they wanted, raid their homes, and ransack and destroy their possessions and heirlooms, confiscating large bundles of private letters and correspondence. When the Americans later passed an amendment to ban vague legal warrants describing neither “the place to be searched” nor “persons or things to be seized,” it was Wilkes’s home, historians say, that they pictured.

This morning, a group of United States lawmakers introduced bicameral legislation aimed, once again, at reining in a government accused of arbitrarily snatching up the private messages of its own citizens—not by breaking down doors and seizing handwritten notes, but by tapping into the power of internet directly to collect an endless ocean of emails, calls, and texts. The Government Surveillance Reform Act of 2023 (GSRA)—introduced in the US House by representatives Zoe Lofgren and Warren Davidson, and in the US Senate by Ron Wyden and Mike Lee—is a Frankenstein bill more than 200 pages long, combining the choicest parts of a stack of cannibalized privacy bills that rarely made it past committee. The patchwork effect helps form a comprehensive package, targeting various surveillance loopholes and tricks at all levels of government—from executive orders signed by the president, to contracts secured between obscure security firms and single-deputy police departments in rural areas.

“Americans know that it is possible to confront our country’s adversaries ferociously without throwing our constitutional rights in the trash can,” Wyden tells WIRED, adding that for too long surveillance laws have failed to keep up with the growing threats to people’s rights. The GSRA, he says, would not strip US intelligence agencies of their broad mandate to monitor threats at home or abroad, but rather restore warrant protections long recognized as core to democracy’s functioning.

The GSRA is a Christmas list for privacy hawks and a nightmare for authorities who rely on secrecy and circumventing judicial review to gather data on Americans without their knowledge or consent. A US Justice Department requirement that federal agents obtain warrants before deploying cell-site simulators would be codified into law and extended to cover state and local authorities. Police in the US would need warrants to access data stored on people’s vehicles, certain categories of which should already require one when the information is stored on a phone. The government could also no longer buy sensitive information about people that would require a judge’s consent, had they asked for it instead.

What’s more, the bill will end a grandfather clause that’s keeping alive expired portions of the USA Patriot Act that’s allowed the FBI to continue employing surveillance techniques that have technically been illegal for two years. Petitioners in federal court seeking relief due to privacy violations will also no longer be shown the door for having no more than a “reasonable basis” to believe they’ve been wrongfully searched or surveilled.