23andMe's data incident.
the cyberwire logoDec 6, 2023

23andMe's data incident is found to have a greater scope than initially expected.


23andMe's data incident.

The ancestry-tracing firm 23andMe has posted an amendment to the Form 8K it filed with the US Securities and Exchange Commission (SEC) on October 10th.

Credential-stuffing, not network compromise.

That form had disclosed an incident in which customer information had been accessed through a credential-stuffing attack enabled by user password reuse. 23andMe said, "the threat actor was able to access a very small percentage (0.1%) of user accounts in instances where usernames and passwords that were used on the 23andMe website were the same as those used on other websites that had been previously compromised or were otherwise available." That's not, however, the full extent of the breach. "Using this access to the Credential Stuffed Accounts, the threat actor also accessed a significant number of files containing profile information about other users’ ancestry that such users chose to share when opting in to 23andMe’s DNA Relatives feature and posted certain information online." That is, TechCrunch reports, the attackers were able to access data on some 6.9 million individuals, orders of magnitude more than the 14,000 individuals who would represent 0.1% of the service's users.

Maor Bin, CEO and co-founder of Adaptive Shield, commented on the method the attackers chose. "In the ever-evolving landscape of cybersecurity, threat actors are becoming increasingly sophisticated, therefore in the complex world of SaaS Security, staying ahead of these threats is crucial. The 23andMe breach, resulting in large-scale credential theft, poses significant risks, especially for individuals who use the same credentials at work to access their organization’s business-critical SaaS applications. To mitigate such risks, companies should adopt robust security measures, including the implementation of Single Sign-On (SSO) and Multi-Factor Authentication (MFA). These measures can strengthen access controls, providing a more secure alternative to accessing SaaS data through local credentials."

George McGregor, VP, Approov Mobile Security, thinks the way the incident has unfolded is a bad look, at least based on what's known so far. “This is starting to look like a good case-study in how to not handle a breach," he wrote. "It's difficult at this point to be confident that no more bad news will be forthcoming. In addition, there has still (as of December 4th) been no direct communication to users. Let it be a lesson for others to ensure a solid data breach plan is in place!”

KnowBe4's Lead Security Awareness Advocate, Javvad Malik, also had questions about the way the incident seems to have been handled. "There's an element of transparency that needs to be addressed," he siad. "23andMe's lack of specifics about the scope of the breach leaves many questions unanswered, which does not instill confidence. It's critical for them to provide a clear account of the incident and outline the steps they're taking to prevent similar breaches in the future, along with what measures are being taken to support affected users. It's a tough lesson, but one that all organizations can learn from to better protect their customer's data."

Tyler Farrar, CISO, Exabeam, discerns, first, credential stuffing, and second, a failure to recognize abnormal behavior. "Two security challenges are evident in this breach: compromised credentials and distinguishing between normal and abnormal behavior. Valid credentials, obtained from previous data leaks or breaches, provide threat actors with potential access to sensitive data. Such breaches are often amplified by the inherent difficulty in differentiating between unauthorized and legitimate logins, leading to a widespread notification process that may encompass unaffected consumers."  

What is credential stuffing, and what can be done about it?

Chris Denbigh-White, Chief Security Officer at Next DLP, offered a quick primer on credential stuffing. "In essence, individuals whose login credentials were compromised in a separate breach, due to the common practice of using the same password across various platforms, made it effortless for attackers to gain unauthorized access to 23andMe accounts. The wording in 23andMe's statements positions the intrusion as unauthorized access due to a stolen password, framing the situation as a 'breach of their terms of service.' This approach seems aimed at positioning 23andMe and the affected users as victims."

Denbigh-White also offered some thoughts on next steps to increase security. "In response to the incident, 23andMe is now advising users to implement Multi-Factor Authentication (MFA) for enhanced security. Given the sensitive nature of the data stored by 23andMe and the prevalent issue of password reuse across online platforms, making MFA mandatory for such services would provide a more robust security posture. This additional layer of authentication would significantly reduce the risk of unauthorized access, further safeguarding both 23andMe and its users from potential data breaches." There's a role for education as well. "In a broader context, there is a compelling need to institute a comprehensive education initiative aimed at mitigating the widespread issue of password reuse. A significant number of users, either inadvertently or due to a lack of awareness, habitually utilize the same password across various platforms. Implementing an all-encompassing educational program would empower individuals to embrace more robust password practices, underscoring the critical importance of maintaining unique passwords for different accounts. This proactive approach, geared towards fostering a culture of cybersecurity awareness, holds the potential to systematically address the root causes of such incidents and contribute to the establishment of a more secure online environment."

This kind of incident is a teaching moments governments might use to raise awareness of sound online practice, Denbigh-White observes. "Drawing parallels with successful government campaigns in the past, such as those promoting the use of seatbelts in cars, there is an opportunity for governments to spearhead similar initiatives focused on cybersecurity risks. By integrating educational efforts on a governmental level, we can leverage mass communication channels to reach a broad audience and instill essential cybersecurity practices.” 

The irresistible attraction of data to criminals.

Any organization that holds large volumes of data inevitably draws criminal attention. Jeremy Ventura, Field CISO and Director of Security Strategy, ThreatX, commented, "While the investigation appears to be ongoing, 23andMe is another example of hackers going after companies with massive amounts of consumer data. In this case - names, date of birth, generic results, geolocations and more appear to have been stolen for a subset of users. Businesses like 23andMe have been very popular over the last couple years linking families and ancestors results together. However this also makes them a huge target, respectively."

And users find it difficult to resist the temptation to reuse passwords. Ventura added, "Credential stuffing attacks are very common and typically an easier attack vector for criminals to gain unauthorized access to users’ accounts. As humans, we are in the habit of reusing passwords for many websites and applications, therefore when one set of login credentials are stolen it’s common that that username/password is being used for other websites. Every individual should be using multi-factor authentication where possible, making passwords complex and unique, and not reusing the same credentials for multiple websites or applications. For organizations and security teams, it’s vital you have the proper security technologies in place to monitor, detect and block against credential stuffing attacks - such as web application firewalls and bot solutions."

KnowBe4's Malik, thinks it significant to see how an initially small incident spread rapidly to other connected users. "The recent breach at 23andMe is a sobering reminder of the sensitivity of genetic data and the need for robust cybersecurity measures. The data accessed is not just a collection of email addresses or passwords, but intimate details of an individual's genetic makeup – information that could have serious implications for privacy and could potentially be misused. It's concerning to see that only 0.1% of the customer base was affected, but due to the nature of the service, this apparently small percentage has a ripple effect, as the DNA Relatives feature extends the impact of the breach far beyond the initial accounts compromised."

Malik, too, finds the criminals' approach instructive. "Credential stuffing is a known threat and relies on the reuse of passwords across multiple services," he wrote, "highlighting the importance of unique passwords and the use of multi-factor authentication to protect accounts – but this incident also shows that the responsibility doesn't end with the end-user. Companies holding such sensitive data must constantly evaluate their security posture and educate users about the best security practices."

Data offered for sale on BreachForums. What can be done with those data?

The attackers have offered some stolen data for sale on BreachForums, charging between $1 and $10 per stolen account. The data include, WIRED summarized, "things like a display name, sex, birth year, and some details about genetic ancestry results, like that someone is, say, of 'broadly European' or 'broadly Arabian' descent. It may also include some more specific geographic ancestry information." No actual genetic information was compromised. 

The stolen data have some value, as any personal information does, but it's not obviously of high value, and it’s not immediately obvious what the thieves and their equally criminal customers might do with it. Still, the threat to the individuals whose data were taken isn't negligible. “With data breaches, the compromise of DNA connections, family tree information, and genetic data exceeds the conventional threat posed by compromised credit cards and social security numbers. The depth of personal insight inherent in one's familial relationships (& genetic blueprint!) amplifies the potential for profound and lasting damage," Ted Miracco, CEO, Approov Mobile Security, commented. “As it has been said, 'great power comes with great responsibility', and the alarming lack of transparency surrounding this breach heightens the implications for individuals and their privacy. The repercussions of this breach extend far beyond casting a shadow on the company's reputation and raising questions among shareholders about the adequacy of security measures, as this problem will not be fixed with an apology and 12 months of credit monitoring services. We should expect the consequences of this breach will be far reaching, and hopefully lead to better accountability."

So, consider: there's some possibility the stolen information might be exploited in, say, affinity scams. Imagine people being contacted like this: "As proud, fellow members of the Krasnovian-American community, you're no doubt aware of the rich history our families share, forged on the Pahrumphistani border over generations. I'm proud to be able to offer you, sisters and brothers, an opportunity to invest in a community-based alternative to conventional life insurance," etc. The whole, sad story of social engineering.

(Added, 2:30 PM ET, December 7th, 2023.) Whatever the data thieves might do with genetic information, in some ways this represents new and disturbingly unfamiliar ground for cybercrime or cyberespionage. Steve Stone, Head of Rubrik Zero Labs, wrote in emailed comments, "The real story in the 23andMe hack is the type of data threat actors now have. We've become accustomed to stolen SSNs, bank numbers, etc. This is genetic information with all the associated implications (family, familial secrets, health information, etc). This information could be weaponized in far more impactful ways than a simple public data dump.”