Breach reported at 23andMe.
By Tim Nodar, CyberWire senior staff writer
Oct 10, 2023

Credential stuffing seems to have afforded the point of access.

Breach reported at 23andMe.

A threat actor is selling data belonging to nearly one million customers of DNA testing company 23andMe, BleepingComputer reports

Data theft suggests anti-Semitic motivations.

The threat actor is selling the information for $1,000 per one-hundred profiles, or $100,000 for one-hundred-thousand profiles. Dataconomy notes that the database is titled “Ashkenazi DNA Data of Celebrities.” The database is focused on individuals with Ashkenazi Jewish ancestry, though it’s unclear if any of them are celebrities.

Ken Westin, Field CISO, Panther Labs, finds the ethnic targeting in evidence with this incident troubling. “This recent attack is incredibly troubling, as the attackers specifically targeted an ethnic group and exposed sensitive information about individuals based on ethnic heritage. The attackers in this case presented the Infosec community’s worst fears around using DNA data to target ethnic minorities. The slow pace of regulation and action by law enforcement around the use and protection of DNA data has created a perfect storm for adversaries to exploit and profit from incredibly sensitive data. I’m afraid to say this is just the first shoe to drop when it comes to the breach of DNA data.”

Credential stuffing apparently afforded initial access.

A 23andMe spokesperson told BleepingComputer that the attack appears to have been carried out via credential stuffing: “We were made aware that certain 23andMe customer profile information was compiled through access to individual accounts. We do not have any indication at this time that there has been a data security incident within our systems. Rather, the preliminary results of this investigation suggest that the login credentials used in these access attempts may have been gathered by a threat actor from data leaked during incidents involving other online platforms where users have recycled login credentials.”

However, BleepingComputer notes that the attackers were able to gather information on additional users by scraping information from compromised accounts that had opted into 23andMe’s DNA Relatives feature, which enables users to find and connect with their genetic relatives.

DNA-mapping sector is attractive to criminals.

Credential stuffing isn’t difficult or sophisticated. “Credential stuffing is a primitive attack that any high school kid could execute, but it can usually be thwarted with multifactor authentication or other human verification methods,” Lior Yaari, CEO and co-founder of Grip Security, wrote. “Enterprises invest heavily in identity security, but every day consumers do not have the luxury of multimillion dollar budgets and teams of analysts. Whatever credentials were compromised in this attack, the hackers may leverage them to infiltrate the work systems of the owners of the compromised accounts because people tend to reuse personal passwords for work. Protecting against consumer application breaches now has implications for enterprise security, but most companies are not prepared to take the necessary steps to protect themselves properly.” 

Tyler Farrar, CISO at Exabeam, offered some advice to organizations on coping with attacks of this kind:

“Whether this is a confirmed data breach or a symptom of credential stuffing, the two security challenges remain: compromised credentials and distinguishing between normal and abnormal behavior. Valid credentials, obtained from previous data leaks or breaches, provide threat actors with potential access to sensitive data. Such breaches are often amplified by the inherent difficulty in differentiating between unauthorized and legitimate logins, leading to a widespread notification process that may encompass unaffected consumers. 

“Addressing these challenges necessitates comprehensive cybersecurity strategies. Education about safe credential practices and feedback loops, complete network activity visibility, and robust technical safeguards, such as multi-factor authentication, all contribute to a resilient defense against credential-based attacks. 

“Most importantly, organizations should be able to establish a clear behavioral baseline for users and devices on their network. Understanding ‘normal’ behavior allows for the identification of deviations that may signify compromised credentials. This approach facilitates faster detection and response to breaches, protecting organizations and their people from potential harm. Remember- you ought to know your network and your people better than the attackers.”

Others see DNA data as underprotected. Panther Labs' Westin commented,“This is a worry many in the Infosec community had regarding the DNA mapping industry. For the most part, the protection of DNA data has been unregulated -- at best, it's been treated like PII.”

And Colin Little, Security Engineer at Centripetal, reminds all that individual customers of services like this are the real victims. “The real people who suffer in large data breaches, unfortunately, are the individual consumers. The fact that people's genetic ancestry results have been stolen, opens entirely new possibilities for data extortion and identity theft. Too often, the names of political figures and celebrities are in the news due to some scandal of affiliation, and now the bad guys have those affiliations genetically mapped out for them.” 

Little, too, sees the incident as avoidable. “This breach, as with most, was preventable and underscores the need for a proactive approach based on intelligence powered cybersecurity. Corporate credentials that are stolen in 3rd party data breaches can be specifically identified and mitigated by services that actively use this intelligence. In addition, implementing an effective security awareness program will help train employees not to use their corporate email address when signing up for third party services, and not to reuse passwords at any time, especially those they use for their enterprise authentication. Multi-factor authentication may also have helped mitigate a scenario like this.”

(Added, 3:30 PM ET, October 10th, 2023.) Antoine Vastel, PhD, Head of Research at DataDome, wrote:

“Large websites own vast amounts of sensitive user data, and protecting this data -- without impacting the user experience -- is a huge challenge. The latest 23andMe credential stuffing attack underscores the need for account protection tools that can withstand attacks from sophisticated bots. Credential stuffing relies on the all-too-common issue of password reuse to gain access to online accounts. With 81% of individuals reusing passwords or using similar passwords for multiple accounts, malicious threat actors with access to a list of leaked credentials have an easy time finding valid login and password combinations. 

"When cybercriminals succeed in taking control of an online account, they can perform unauthorized transactions, unbeknownst to the victims. These often go undetected for a long time because logging in isn’t a suspicious action. Once a hacker is inside a user’s account, they have access to linked bank accounts, credit cards, and personal data that they can use for identity theft. 

"23andMe proposed 2FA to their users, which means they had a way to secure their account with it. However, it's difficult to make users adopt 2FA. It's counter intuitive for a lot of people, and may be difficult to set up for non tech savvy users. And because it impacts UX, it's not often enforced (except when law forces websites to have default 2FA). This demonstrates the need for seamless and transparent bot detection techniques.”