Introduction

Late last year, December 2023, genetic testing company 23andMe notified 6.9 million individuals that their personal information was compromised in October 2023. Despite their claims, there was no evidence from 23andMe that there was any data security incident within their systems. This was because the threat actors leveraged credential stuffing, a tactic in which hackers use stolen login information from one account to gain access to other accounts with the same passwords.

 

What is Credential Surfing?

Credential surfing, also known as credential stuffing, is a type of cyber attack where attackers use lists of stolen usernames and passwords from one website to gain unauthorized access to accounts on other websites.

The attack works on the assumption that many people use the same username and password combinations across multiple online services. Attackers use automated tools to test these stolen credentials on various websites, hoping to gain access to user accounts and potentially carry out further malicious activities, such as identity theft, fraud, or unauthorized access to sensitive information.

 

Details about the breach

On the 1st of October 2023, a threat actor posted on an online forum claiming they had accessed and obtained profile information of 23andMe users’. In reaction, the company launched an investigation into the claims. It was discovered that the threat actor had accessed about 0.1 percent of user accounts, 14,000 accounts to be precise, using credential stuffing tactics.

The information accessed in the breach included ancestry data(approximately 5.5 million), family tree information (approximately 1.4 million), and some health information specific to the user’s genetics. Minority groups were reportedly targeted with this breach, this was evident in the posting of highly specific information about people of Ashkenazi Jewish and Chinese descent on the dark web.

By accessing the initial 14,000 accounts, the threat actors were able to access millions of more profiles based on users’ participation in the DNA Relatives feature.

 

Additional Security Concerns:

The 23andMe breach underscores broader concerns about cybersecurity in the digital age. Some of which are;

• It highlights the risks associated with credential stuffing attacks and the importance of robust security practices for both companies and users.
• As more sensitive personal data is collected and stored online, the need for stringent security measures becomes increasingly critical.
• This breach serves as a wake-up call for organizations to prioritize cybersecurity and invest in proactive measures to protect user data.

 

Regulatory and Ethical Considerations:

Asides the security concerns, the 23andMe breach also raises questions about regulatory compliance and ethical responsibilities regarding the handling of sensitive personal data.

Additionally, regulatory bodies may scrutinize 23andMe’s security practices and response to the breach to ensure compliance with data protection laws. Ethical considerations include transparency in communication with users and accountability for safeguarding their data.

Lessons Learnt

The 23andMe security breach offers several valuable lessons for both the company and users:

• Continuous Monitoring and Response: Companies must maintain vigilant monitoring of their systems for any signs of unauthorized access or suspicious activity. Prompt detection and response to security incidents are crucial in mitigating potential damage and preventing further exploitation.
• Transparency and Communication: Transparent communication with users about security incidents is essential for maintaining trust and credibility. Companies should promptly disclose breaches, provide clear information about the nature and extent of the incident, and offer guidance on steps users can take to protect themselves.
• Regulatory Compliance: Compliance with data protection regulations, such as GDPR in Europe or CCPA in California, is imperative for organizations handling sensitive personal data. Compliance frameworks provide guidelines for implementing robust security measures and ensuring accountability in data handling practices.
• Investment in Security Infrastructure: Companies must prioritize investment in robust security infrastructure and measures to safeguard user data effectively. This includes regular security audits, employee training on cybersecurity best practices, and staying abreast of emerging threats and vulnerabilities.
• User Education: Educating users about cybersecurity risks and best practices is crucial in fostering a security-conscious culture. Providing resources and guidance on password management, recognizing phishing attempts, and staying vigilant against social engineering tactics can empower users to protect themselves online.
• Ethical Considerations: Organizations must consider the ethical implications of handling sensitive personal data and prioritize user privacy and security in their operations. This includes transparency about data collection and usage practices, obtaining informed consent from users, and implementing stringent measures to protect their data from unauthorized access or misuse.

 

Guarding against Credential Surfing

Following the lesons learnt from the 23andMe breach, it is important to guard against credential surfing by adhering to the following:

• Use Strong, Unique Passwords: Create complex passwords for each of your online accounts. Avoid using easily guessable information like birthdates or common words. Include a mix of uppercase and lowercase letters, numbers, and special characters. Consider using a password manager to generate and store your passwords securely.

• Enable Two-Factor Authentication (2FA): Whenever possible, enable 2FA on your accounts. This adds an extra layer of security by requiring a second form of verification, such as a temporary code sent to your phone or email, in addition to your password.
• Regularly Update Passwords: Change your passwords regularly, especially if you suspect that any of your accounts may have been compromised. Regularly changing passwords can help mitigate the risk of unauthorized access.

• Monitor Account Activity: Keep an eye on your account activity and review login notifications or access logs provided by the services you use. If you notice any suspicious activity, such as logins from unfamiliar locations or devices, take immediate action to secure your account.
• Avoid Reusing Passwords: Resist the temptation to reuse passwords across multiple accounts. If one account is compromised, using unique passwords for each account will limit the damage that can be done by credential surfing attacks.

• Stay Informed About Data Breaches: Regularly monitor news about data breaches and security incidents. If a service you use has experienced a breach, change your password for that service and any others where you may have used the same password.
• Educate Yourself: Stay informed about common phishing techniques and other cyber threats. Be cautious of suspicious emails, links, or messages that may attempt to trick you into revealing your login credentials.

Summary

The 23andMe security breach serves as a reminder of the ever-present threats to personal data security in the digital realm. While the company took steps to mitigate the immediate impact of the breach, it also underscores the need for continuous vigilance and proactive measures to safeguard sensitive information in an increasingly interconnected world. The CcHub Helpdesk (help@cchub.africa) is available for any organizations looking for assistance with incident response.