23andMe is a personal genomics and biotechnology company based in Sunnyvale, California. The company is well known for its direct-to-consumer genetic testing kits. On October 6, 23andMe confirmed in a blog post that they had been the victim of a sizable credential stuffing attack. The company also included information about the attack in their required 8-K report to the SEC. Credential stuffing is when hackers use stolen usernames and passwords they have either acquired in other data breaches or purchased on the dark web. By exploiting the habit of reusing passwords across different sites, hackers can reuse repeatedly use stolen credentials. While the systems of 23andMe were never compromised, the attacker was still able to obtain the personal identifiable information (PII) of at least one million account holders. Although 23andMe’s systems were not breached, attackers still accessed identifiable information of millions of users. A feature allowing users to share data with other account holders made it easier for the attacking party, as breaching one shared-data account could expose many users’ information.
Identify Indicators of Compromise (IoC)
23andMe was not aware of the attack when it took place. Instead, the company was alerted to the attack on October 4, by an X user (X, formerly known as Twitter) that tweeted about a 23andMe data leak. The person also posted a CVS file on a dark web forum that they claim includes a profile list of one million 23andMe account holders of Ashkenazi Jewish ancestry. The database itself was viewed by NBC News that confirmed authenticity. Cybersecurity experts speculate that the emphasis on Jewish ancestry might be an attempt to capitalize on recent happenings in the Middle East. The posted file is reported to include some celebrities and well-known individuals. The attacker is advertising the sale of these profiles in bulk at a price point between $1 and $10 per account depending on the number of profiles purchased. The hacker also claims to be in possession of another 6 million account profiles, which would constitute about half of the 23andMe customer base. In total, the assailant claims to hold 20 million pieces of data from 23andMe that also includes details such as origin estimation, phenotype and health information, photo, and identification data.
Actions Taken (If IOCs are identified)
23andMe notified law enforcement and the company has sought the assistance of third-party forensic experts to assist in an investigation to determine the cause and scope of the attack. On October 9, the company notified its customers that it had reset passwords on all accounts as a precaution and was encouraging all users to use the multifactor authentication option that was provided. The company has promised to notify all users whose information is confirmed by the investigation to be compromised. A lawsuit has since been filed against 23andMe in which two plaintiffs assert that 23andMe owed a non-delegable duty to Plaintiffs and Class members to implement and maintain reasonable and adequate security measures to secure, protect, and safeguard their Private Information against unauthorized access and disclosure.
Prevention (If IOCs are identified)
There are combinations of preventive, detective, and corrective measures that businesses and users can take to protect against credential stuffing attacks. Users must avoid using identical passwords across various accounts. If one account’s credentials are breached, attackers can use the compromised credentials on popular websites such as banks, social media, and online retailers. Users should use a distinct password for each account that holds personal information or financial holdings or transactions. They should also avoid using their email address as their username, and companies should offer this option to their account holders. Organizations should provide multfactor authentication (MFA) for all users and encourage users to enable the feature. Another option is to implement CAPTHCHAs on login pages to deter automated scripts from submitting login requests.
Companies can lessen the impact of credential stuffing attacks by enforcing password policies that temporarily lock accounts once a threshold of failed login attempt or limit the number of login attempts from a single IP address over a given time period. A cybersecurity monitoring system can also notify the IT or security team about anomalous behavior such as an unusual number of failed logins onto their systems.