23andMe, and You, and Your Mama and Your Sister
On Oct. 1, 2023, a small percentage of 23AndMe user profile information was improperly accessed and downloaded from individual 23andMe.com accounts on its website. The company found out after an anonymous hacker began advertising “millions” of stolen genetic profiles that were supposedly from 23andMe customer accounts.
The profiles included emails, photos, gender, date of birth and DNA ancestry. This sort of health information is known as PII, which stands for Personally Identifiable Information. However, this is a special kind of personal information; its extra personal because it involves your genetic DNA data, not just a social security number or a password. The profile info could not only be used for identity theft, but it could also be used to target those individuals in scams by referencing family members and/or health history.
Each 23AndMe user can choose to share their profile (and DNA test results) with their genetic relatives using 23andMe’s DNA Relatives feature. So, when one account was accessed by the hacker, the entire family history may also have been downloaded, if the user had chosen to add family members. A few years ago my sister emailed us one of these genetic tests, since all 6 of my siblings have the same DNA.
According to their SEC Form 8-K/A form Amendment No. 1 filing on Oct. 10, 2023.
“Based on its investigation, 23andMe has determined that the threat actor was able to access a very small percentage (0.1%) of user accounts in instances where usernames and passwords that were used on the 23andMe website were the same as those used on other websites that had been previously compromised or were otherwise available (the “Credential Stuffed Accounts”). The information accessed by the threat actor in the Credential Stuffed Accounts varied by user account, and generally included ancestry information, and, for a subset of those accounts, health-related information based upon the user’s genetics. Using this access to the Credential Stuffed Accounts, the threat actor also accessed a significant number of files containing profile information about other users’ ancestry that such users chose to share when opting in to 23andMe’s DNA Relatives feature and posted certain information online. We are working to remove this information from the public domain [they are buying it back]. As of the filing date of this Amendment, the Company believes that the threat actor activity is contained.
“23andMe is in the process of providing notification to users impacted by the incident as required by applicable law. While no company can ever completely eliminate the risk of a cyber attack, the Company has taken certain steps to further protect its users’ data. For example, on October 10, 2023, 23andMe required all users to reset their passwords, and on November 6, 2023, 23andMe required all new and existing users to login into the 23andMe website using two-step verification going forward.”
“Credential stuffing” is a form of brute force attack using an automated system to test stolen login/password pairs, by “stuffing” them into an online form, until one of them works. So let’s pretend my work email was pkonikowski[@]myemployer[.]com and my work password was “GoSeahawks2023” and someone stole that login and password combo, or a whole list of them, and then sold it to someone.
The person who purchased the stolen logins and password combos would likely try “pkonikowski” or pkonikowski[@]gmail[.]com and my “GoSeahawks2023” password, then maybe “GoSeahawks2024.” Sounds tedious, right? It is all done in bulk automation, on multiple website which increases the chances of the hacker “getting in.”
One way to prevent credential stuffing (or other brute force login attempts where they try common passwords) is to use two-factor authentication (2FA) or multi-factor authentication (MFA). This means that even if someone gets ahold of your login and password, they can’t access your profile without using your phone or another method to verify it’s actually you. Typically it is an SMS text sent to your phone.
The problem is, 23AndMe did not force anyone to use 2FA/MFA until after the recent cyberattack. Womp womp.
Some think that 23andMe was reckless for not forcing their users to use MFA or to update their login passwords often; thus, a series of class action lawsuits have been filed against 23AndMe.
23AndMe’s response? You might want to grab a beverage, popcorn and/or a tissue box. In a letter sent to victims, they essentially blamed the users for having the same passwords stolen earlier in their lives:
“Users negligently recycled and failed to update their passwords following these past security incidents, which are unrelated to 23andMe…Therefore, the incident was not a result of 23andMe’s alleged failure to maintain reasonable security measures…”
Essentially, 23AndMe is saying there was no real breach; their users had previously lost their passwords in another cyberattack, and failed to change all of their other passwords as they were directed to. Or, they had such basic passwords that the attacker was able to guess by using a dictionary-type list.
So, what are the takeaways? They are not easy, but if you don’t start doing them, expect more of this:
- You should always opt for MFA, even when you are not forced to do so. Every website.
- Use a different password on each website that you log in to, so they can’t be reused.
- If you are worried about forgetting your password, that’s okay, just reset it every time you login.
- In addition to changing your passwords, consider different logins per website.
- Many people use a password manager, but some of us don’t trust them either.
- Every time you get notified your information may have been breached, change all passwords.
Most importantly, stop blaming your users. This goes for weak passwords or clicking a phishing link. If a user clicks a malicious link or document in their email, it’s not their fault. It’s the responsibility of the company’s security engineering team to not let them click it, and to provide training, and safeguards.