Summary: This content discusses a credential stuffing attack that resulted in the theft of genetic data belonging to 6.9 million individuals.
Threat Actor: Unknown | Unknown
Victim: 23andMe | 23andMe
Key Point :
- A credential stuffing attack targeted 23andMe, resulting in the theft of genetic data belonging to 6.9 million users.
General Data Protection Regulation (GDPR)
,
Incident & Breach Response
,
Security Operations
6.9 Million Individuals’ Genetic Details Stolen via 2023 Credential Stuffing Attack
Privacy regulators in the U.K. and Canada have launched a joint investigation into 23andMe after the direct-to-consumer genetic testing service suffered a massive data breach in October 2023.
See Also: Meeting the Mandate: A Proactive Approach to Cybersecurity Compliance and Incident Reporting
Britain’s Information Commissioner’s Office and the Office of the Privacy Commissioner of Canada said they’ll jointly investigate the publicly traded company’s compliance with their respective data protection laws and the impact of the breach, which exposed ancestry information for 6.9 million individuals.
The ICO and OPC said they’ll review the scope of information exposed and the potential risk it poses to individuals, whether 23andMe had sufficient safeguards in place to protect that data, and whether it correctly notified affected individuals and U.K. and Canadian regulators about the breach.
The ICO said the data being stored by 23andMe “can reveal information about an individual and their family members, including about their health, ethnicity and biological relationships.” Once exposed, such data might pose a permanent risk to individuals, given that one’s genetic information never changes.
“People need to trust that any organization handling their most sensitive personal information has the appropriate security and safeguards in place,” said U.K. Information Commissioner John Edwards. “This data breach had an international impact, and we look forward to collaborating with our Canadian counterparts to ensure the personal information of people in the UK is protected.”
“We intend to cooperate with these regulators’ reasonable requests relating to the credential stuffing attack discovered in October 2023,” 23andme said in a statement.
That breach exposed information for 6.9 million customers who opted into 23andMe’s DNA Relatives feature, which can be used to identify relatives on any branch of an individual’s family tree, up to eight generations back. Exposed information included “family tree” profile information, which contains names, relationship labels, birth year, self-reported location and the user’s decision to share their information.
In October 2023, 23andMe first reported that about 140,000 of its users had fallen victim to credential stuffing attacks, meaning attackers logged into accounts for which users had reused their username and password elsewhere.
Subsequently, 23andMe found that after gaining access to those accounts, an attacker successfully scraped profile information for half of the site’s 14 million users, which they then offered for sale. The leaked data, according to media reports, featured individuals with certain DNA ancestry backgrounds, including 1 million lines of code about people with Ashkenazi Jewish DNA ancestry.
“In the wrong hands, an individual’s genetic information could be misused for surveillance or discrimination,” said Canadian Privacy Commissioner Philippe Dufresne. “Ensuring that personal information is adequately protected against attacks by malicious actors is an important focus for privacy authorities in Canada and around the world.”
The regulators didn’t define the potential duration of their probe. “Each regulator will investigate compliance with the law that it oversees,” their joint statement said. “No further comment will be made while the investigation is ongoing.”
Defenses Against Credential Stuffing
As the 23andMe data breach demonstrates, attackers continue to use credential stuffing attacks, often obtaining known username and password pairs via public data leaks (see: 71 Million Unique Emails Found in Naz.api Cybercrime Dump).
Such attacks can be highly automated, rapidly executed and difficult for downstream organizations to block, unless they take proactive steps to detect and prevent them, which security experts have long recommended they do (see: Credential Stuffing Attacks: How to Combat Reused Passwords).
One defensive strategy is to force users to pick unique passwords. Since August 2017, the U.S. National Institute for Standards and Technology has recommended users never pick a password that has previously appeared in a known data breach. To help, Australian developer Troy Hunt that year launched a free service called Pwned Passwords, which allows users to test possible passwords against a database that contains hashes of hundreds of millions of passwords known to have been leaked, assembled from numerous public and private data leaks. The service, which can be accessed via an API, includes hashes of passwords obtained by the FBI and Britain’s National Crime Agency during the course of their investigations.
Another proven defense against credential stuffing is multifactor authentication. Even if an attacker possesses a working username and password pair, an MFA check will prevent them from accessing the account. While attackers can attempt to bypass MFA defenses, doing so takes much more time and technical acumen, thus decreasing the likelihood they might attempt to do so or succeed (see: Multifactor Authentication Bypass Attacks: Top Defenses).
Since 2019, 23andMe has offered customers the ability to secure their accounts using two-factor authentication via either an authenticator app or one-time code sent to their registered email address, although the service didn’t make TFA mandatory. That changed last November, when 23andMe said all new accounts would be automatically enrolled in TFA via email, after which they could switch to using the authenticator app if preferred.
Source: https://www.bankinfosecurity.com/privacy-regulators-probe-impact-23andmes-mega-breach-a-25480
“An interesting youtube video that may be related to the article above”