Popular with:
Security Architect

The 23andMe Breach and Your Online Security

October 25, 2023
Written by

More than 200 organizations were affected by the MOVEit data breach in June. 

T-Mobile was hacked twice in 2023, impacting more than 37 million customers.

The HCA ransomware attack compromised 11 million patients' personal information.

MGM lost millions when a cyber attack halted the operation of its 19 casino hotels for 10 days.

Caesar paid $15 million when a group of hackers threatened to leak the PII of more than 65 million customers.

When a company is breached, and your information is in their database, usually it’s your name, address, birthday, and other personal identifiable information that will get compromised. But the 23andMe hack is so much more personal than that. So, what happens when your very DNA is at the center of a data breach?

Today, we’ll talk about another data breach.

Table of Contents

  1. What happened in the 23andMe attack?
  2. How credential stuffing works
  3. Credential stuffing vs Brute-force attacks
  4. How to prevent credential stuffing
  5. Preventing credential stuffing for individuals
  6. Preventing credential stuffing for organizations
  7. AppSecEngineer's call against credential stuffing threats

What happened in the 23andMe attack?

1.3 million Ashkenazi Jews. 4,011,607 in Great Britain and Germany. That’s what happened.

23andMe has 14 million customers all over the world, and the names, birth years, genders, and some details about genetic ancestry results are in the hands of a hacker known as Golem. Thankfully, no genetic data was compromised.

Selling stolen genetic data profiles in bulk. Source: BleepingComputer

1 million Ashkenazi Jews

On October 4, the hacker released the data of 1 million Ashkenazi Jews and offered them in bulk for $1-$10 per account. Users who had chosen to use 23andMe's DNA Relatives feature, which allows users to make connections with genetic relatives, were particularly affected. The hacker gained access to a subset of these accounts by extracting data from their DNA Relative matches.

The attack was attributed to credential stuffing, in which the hacker obtained access to 23andMe accounts through usernames and passwords from earlier data breaches on other websites.

4.1 million from Great Britain and Germany

And then there’s more. On October 18, the same threat actor with an alias “Golem” leaked 4.1 million data profiles of people from Great Britain and Germany. According to the post in a dark web forum, BreachForums, the leaked data includes “the wealthiest people living in the US and Western Europe on this list”. 23andMe has yet to verify if the claims of the hacker are legitimate.

How credential stuffing works ?

Credential stuffing is a type of cyberattack in which an attacker tries to gain unauthorized access to user accounts on several online platforms, such as websites, apps, or services. It's based on the idea that many users recycle usernames and passwords across multiple accounts, which is both common and unsafe. Here's how credential stuffing works:

  1. Leaked user data - Cybercriminals usually collect massive databases of usernames and passwords from prior data breaches on multiple platforms or services. These compromised passwords are frequently found on the dark web or hacker forums.

  1. Automated attack -The attacker repeatedly tests these stolen login and password combinations on a target website or service using automated tools and scripts. The attacker tries every combination of credentials to check if it grants access.

  1. Scale and speed - Because attackers can use computer programs to automate login attempts across a huge number of accounts, credential-stuffing attacks can be extremely easy to carry out. This helps to try thousands, maybe even millions, of logins simultaneously. 

  1. Success rate - The effectiveness of a credential stuffing attack is determined by the number of users who repeat passwords across many accounts. The attacker may acquire unauthorized access to a user's accounts if they use the same credentials on different sites.

Credential stuffing vs Brute-force attacks

Cybercriminals harness both credential stuffing and brute-force attacks to obtain unauthorized access to online accounts. However, they differ in their strategy and execution:

How to prevent credential stuffing

Credential stuffing attacks need to be mitigated in order to protect your online accounts and personal information. Here are a few simple precautions you may take to protect yourself from this type of cyberattack:

Preventing credential stuffing for individuals

1. Use unique passwords

- Don't reuse passwords. Each online account should have a unique and strong password.

- Try using a password manager to generate and manage complex, unique passwords.

2. Enable Two-Factor Authentication (2FA)

- Whenever possible, enable 2FA on your accounts to add an extra layer of security.

- Use authentication apps or SMS codes as your secondary verification method.

3. Regularly update passwords

- Change passwords from time to time, especially for critical accounts like email, online banking, and social media.

- Act promptly in the event of a known data breach that might affect an account you use.

4. Security awareness

- Educate yourself about the risks of credential stuffing and why strong password hygiene is important.

- Stay informed about recent data breaches and take action to protect your accounts.

5. Security questions

- Choose security questions and answers that are not obvious, and avoid details that can be readily available on social media.

6. Account monitoring

- Regularly review your online accounts for unusual activity.

- Take immediate action if you detect unauthorized access to your accounts.

Preventing credential stuffing for organizations

1. Implement account lockout policies

- Enforce account lockout policies that temporarily restrict accounts after a specific number of failed login attempts to prevent brute-force attacks.

2. User education

- Train employees and users on the importance of password security and the dangers of credential stuffing.

- Encourage password best practices and two-factor authentication adoption.

3. Password policy

- Enforce a password policy that demands users to create complex, unique passwords.

- Encourage regular password changes.

4. Security measures

- Implement intrusion detection systems and security measures to detect and respond to credential stuffing attempts.

- Monitor for patterns of suspicious login activity.

5. Security response plan

- Create and maintain an incident response plan to address breaches immediately.

- Communicate with concerned users and guide them through the recovery process.

6. Third-party security services

- Consider using third-party security services that can monitor for compromised user credentials and notify affected users.

7. Continuous security assessment

- Regularly assess and update security measures to adapt to evolving threats and vulnerabilities.

AppSecEngineer's call against credential stuffing threats

Some of us discovered that we're 26.7% Scottish or that we have 1.3% Balkan in our DNA. The 23andMe data breach feels dirty - a stark reminder that our most intimate information can be laid bare by cybercriminals. 

Our lives today are measured in numbers, from our genetic makeup to our online account passwords. The 23andMe breach, which was facilitated by the reuse of passwords, highlights just how vulnerable our online identities can be. But the good news is that we're not defenseless.

Here at AppSecEngineer, we can help you to make it tougher for cybercriminals to compromise your defenses. We train teams from many industries, Manufacturing, Retail, Finance, Technology, etc., about the importance of why security shouldn't be an afterthought. In fact, 90% of our AppSecEngineer for Business clients see improved results in as little as 3 months.

It's now or never. Educate your teams, and be ready to respond rapidly to any breaches.

Source for article