23andMe - October 2023
Attacker steals data from 6.9M users...then 23andMe sticks their foot in it
23andMe was breached by a hacker named Golem in October 2023….then decided to blame users for it in January 2024.
What organization was breached and what group of attackers breached it?
23andMe is a personal genomics and biotechnology company that provides genetic testing in a simplified way directly to consumers for ancestry and health purposes.
Golem is a hacker — not much information is available about the attacker, though they are likely a cybercriminal given their choice to share the data on the dark web and to sell some of it.
Cybercriminals leverage cyberattacks to generate funds through extortion, data theft, and financial crime, much like traditional criminal organizations. They also use cyberattacks to build their reputation within the cybercriminal community.
What did the attackers do?
The attacker used a credential stuffing attack to steal profile data, name, birth year, relationship labels, percentage of DNA shared with relatives, ancestry reports, and self-reported location of 6.9M people, about half of 23andMe’s user base. As proof of the breach, the attacker posted data from 1M users of Jewish Ashkenazi descent and 100,000 Chinese users. The attacker has posted and is attempting to sell the records.
A credential stuffing attack is when an attacker gathers lists of previously compromised user credentials (typically usernames and passwords from other websites) and checks if it will give access to other websites. For example, if an attacker has access to someones username and password after a breach at Twitter, the attacker will try to use the same username and password on other websites like Facebook, Instagram, or TikTok, in case the user used the same username and password for multiple accounts. This is why it’s so important not to re-use passwords on multiple websites.
This could have been the end of the story, but then, in January 2024, 23andMe responded to a class-action lawsuit by blaming the users. It said, “users negligently recycled and failed to update their passwords following these past security incidents”, that users should “consider the futility of continuing to pursue an action in this case," because "the information that was potentially accessed cannot be used for any harm”. This is not accurate. Attackers often use information like people’s birth dates, ancestry, location, and profile data to execute more elaborate attacks. Think of one of the main security questions that gets asked for financial accounts: What’s your mothers maiden name?
What does this mean for me?
For users:
What data is worth giving tech bros? Consider this an opportunity to decide if you really want or need to share genetic information with tech companies. A while ago, I chose not to buy into genetic testing through 23andMe despite being interested in the potential results because not only do I not want attackers to get hold of that type of data, I don’t really want tech people to have it either.
Stop reusing your passwords! Get a password manager and have it generate the passwords for you. Not only is this easier than trying to remember passwords or keep a password book, it’s also more secure.
For public or private sector organizations:
Finger pointing is never a good look. 23andMe chose to react out of an urge to CYA rather than through its values to a class-action lawsuit from affected users. Blaming users for cyberattacks against your organization is always a mistake, full stop. It does not help your company recover, it does not engender trust from users, and it does not make for positive headlines. Instead, focus on how the company will address the problem while continuing to uphold the values the company was founded on.
Enforce multi-factor authentication for users. Despite claims, 23andMe had ways to reduce the likelihood of this attack: by enforcing MFA. If MFA was enforced for user accounts, attempts at credential stuffing attacks would be thwarted, because users would have to confirm it was them trying to log in to the account. Implement MFA in your products to protect users while adding minimal friction to the user experience.
Multi-factor authentication (MFA) is an account login process that makes a user enter information from multiple sources prior to allowing access to an account. The most common method for this is when a user tries to log in to their account and not only has to enter their password, but also input a code they receive via text message that moment.
—
Notes
https://techcrunch.com/2023/12/04/23andme-confirms-hackers-stole-ancestry-data-on-6-9-million-users/
https://www.wired.com/story/23andme-credential-stuffing-data-stolen/
https://www.eff.org/deeplinks/2023/10/what-do-if-youre-concerned-about-23andme-breach
Cybersecurity is ultimately about one thing: protecting your opportunity to communicate, innovate, and explore the world.
What did you think of this post? Leave me a comment with your thoughts.
🤍 Allie