Rachel Tobac Profile picture
Oct 10 5 tweets 3 min read Twitter logo Read on Twitter
Thank you @lorenzofb @TechCrunch for discussing the 23andMe intrusion with me.
Here’s a breakdown thread with more of my thoughts:
1. What happened in this data leak?
2. What can orgs proactively do to prevent similar intrusions?
3. What can individuals do to limit their risk of account takeover in similar ways on other sites?
1. What happened in this data leak?

Cyber criminals were able to find passwords that were involved in other breaches online and use a method called “credential stuffing” to attempt those previously breached and reused passwords on 23andMe to login as other users.
Unfortunately, most folks reuse their passwords across many sites and apps and when those passwords are stolen they can be used to gain access to your account anywhere else the password is used online.
The attackers took the passwords from other breaches, stuffed them into 23andMe and then used an opt-in feature called DNA Relatives to enumerate genetic data of similar groups.
23andMe doesn’t yet appear to be hacked itself, rather the formerly breached passwords reused by the 23andMe users allowed the attacker to gain access to user accounts by logging in as the user and stealing sensitive genetic data.
2. What can organizations proactively do to prevent similar intrusions?

Companies have options to help their users avoid account takeover.

First, by @troyhunt allows for integrations with sites to warn users if their password is reused and findable online in a previous breach. This helps prevent users from reusing their passwords on a website. I highly recommend that companies use the integration to prevent password reuse on their own site — because remember, everyday folks don’t understand the difference between a credential stuffing attack that leads to account takeover and data leaks vs the site itself being hacked/breached with malware, etc. It’s in an org’s best interest to prevent password reuse on their site to avoid the negative impacts of data leaks no matter what (because a data leak will impact a brand regardless of the attack method in use).

Second, using a website without MFA on should feel like driving a car without your seatbelt on — obvious and with a clear next action. If your users don’t have MFA on, make it extremely clear and easy to turn MFA on. I thank @CISAJen @boblord @CISAJen for the car analogy.haveibeenpwned.com
3. What can individuals do to limit their risk of account takeover in similar ways on other sites?

- Avoid password reuse. Use long, random, and unique passwords on each site, generated and stored by/in a password manager. Or use passkeys anywhere they’re offered to avoid passwords altogether when you can.

- Use the right MFA for your threat model/digital literacy on every site and tool you use. For many people, that’s at least app-based MFA. Even SMS 2FA is better than nothing for many credential stuffing focused attacks. FIDO solutions are a great match for many people — I personally enjoy using @Yubico YubiKeys.

- Sign up for to get alerts when your usernames, email addresses, or passwords turn up in a breach, then change those passwords immediately and ensure MFA is on those accounts.
This is all about harm reduction, find the password manager and MFA strategy that works for you, your team, and your family/friends according to your threat model and digital literacy.

If you work at a company and are in charge of preventing similar credential stuffing intrusions — talk with your team about implementing the integration to detect and prevent password reuse.
Discuss how you can make using your site without MFA more like driving a car without a seatbelt.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Rachel Tobac

Rachel Tobac Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @RachelTobac

Sep 13
One of the easiest ways for me to hack is simply:
1. Look up who works at a org on LinkedIn
2. Call Help Desk (spoof phone number of person I’m impersonating)
3. Tell Help Desk I lost access to work account & help me get back in

I hope we learn more & get confirmation of methods
The threat actors claim this was their attack method to compromise MGM Resorts. I’m sure we’ll learn details soon.
For now I’ll say that the attack method they claim worked for them does indeed work for me often. Most orgs aren’t ready for phone based social engineering.
Most orgs focus on email based threats in their technical tools and protocols — many are not yet equipped with the social engineering prevention protocols necessary to catch and stop a phone based attacker in the act. Teams need protocols to verify identity before taking action.
Read 11 tweets
May 21
Here’s how I used AI to clone a 60 Minutes correspondent’s voice to trick a colleague into handing over her passport number. I cloned Sharyn’s voice then manipulated the caller ID to show Sharyn’s name with a spoofing tool.
The hack took 5 minutes total for me to steal the info.
How to stay safe?
1. Make sure your folks know that caller ID is easily faked. Voices can also now be impersonated.
2. If they receive a dire call from “you”, verify it’s really you w/ another method of communication (text, DM, FT, call, etc) before action (like sending money).
The victims of these impersonation scam calls often realize it’s not real JUST AFTER wiring the money to the attacker because they wait to text, call, email, or DM the person being impersonated — then hear back from the impersonated person that they’re safe after money is gone 😢
Read 7 tweets
Mar 16
Some say they feel nervous to use a password manager -- if that feeling is leading you to be less safe & reuse passwords (which btw is the easiest way for me to hack you bc that pw gets breached), then try this trick:
🧂Salt your password manager passwords🧂
Here's the trick:
Use your pw manager to generate long, random & unique passwords for each site -- store those passwords in the password manager. Then you have a special code (words, letters, numbers, etc) that you add at the beginning, middle or end of those passwords yourself while logging in.
Is this salting password manager process necessary for everyone?
Definitely not!
But some folks feel a sense of distrust toward technology and because they're so nervous about a password manager they don't use one and in turn end up reusing passwords which is super risky. Then I… twitter.com/i/web/status/1…
Read 6 tweets
Mar 16
5 days until Twitter auto unenrolls users who haven’t paid from the SMS 2FA that they enabled on their account. Yes, SMS 2FA users could switch to app-based MFA (or security key), but many won’t because they don’t care to, aren’t aware, or aren’t sure what this is all about. Twitter’s blog post about requiring payment for SMS 2FA is
Removing security tools access, especially the tool that folks use the most frequently and understand right now, makes the internet as a whole a less secure place and increases fraud. Only 2.6% of Twitter users have any MFA on at all & of that small percent 74.4% use SMS 2FA.
This matters bc the majority of people admit they reuse their passwords across sites.
If your movie streaming site is hacked & you use that same password for Twitter & have your SMS 2FA auto unenrolled bc you don't pay, I can get into your Twitter account like this on 3/20/23:
Read 5 tweets
Mar 10
*Phish Incoming Alert*
Former Silicon Valley Bank users —
your bank closing will likely be used as a phishing pretext by cyber criminals over email, text message, and phone call. Financial fear tricks folks fast.
Slow down & verify any email/text/call is legit before taking… twitter.com/i/web/status/1…
The “SVB closing, take action” related phishing messages will likely have a sense of urgency (like “click here to claim funds in the next 24 hours”). Verify the message is legit before clicking and handing over credentials, wiring money, sending sensitive banking info, etc.
As always, the reminder: “but Rachel why would you give the criminals ideas by talking about this here?”
Remember, cyber criminals are smart and this is their job, they’re good at it. Once they saw the news that SVB was struggling they already drafted the phishing messages.… twitter.com/i/web/status/1…
Read 7 tweets
Feb 21
Ask A Hacker: "Rachel, is it actually a big deal if I Google my name and my email address or phone number pop up. Why could that matter for someone like me?"
It can matter because many services you trust still use knowledge based authentication (KBA -- info like email… twitter.com/i/web/status/1…
For most folks I can quickly Google your name and find your email address, phone number, date of birth, etc from a data brokerage site. These sites make a profit by scraping your private details and selling it to people. Not cool at all. What can we do support.google.com/websearch/trou…twitter.com/i/web/status/1…
As always, thank you to @CNN @donie for being a good sport and asking me to hack you to demonstrate how to stay safe online.
Read 5 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(