Skip links

Guess the company: Takes your DNA, blames you when criminals steal it, can’t spot a cyberattack for 5 months

Biotech and DNA-collection biz 23andMe, the one that blamed its own customers for the October mega-breach, just admitted it failed to detect any malicious activity for the entire five months attackers were breaking into user accounts.

In a collection of data breach notifications filed with California’s attorney general Rob Bonta, 23andMe revealed attackers were using credential stuffing techniques between April 29 and September 27, 2023.

It also said the malicious activity was only detected in October after seeing a Reddit post related to the sale of the data, rather than interal security tooling picking up on the mess.

It’s not clear how many accounts were targeted over that five-month period, but the company previously said that 14,000 accounts were broken into, accounts that had the DNA Relatives feature enabled which ultimately exposed the data of 6.9 million individuals.

DNA Relatives is a core feature of the 23andMe service that allows users to find individuals they may be related to, based on how strong the DNA match is between them.

If an account was compromised through credential stuffing, the data shared by those with even a minuscule percentage of shared DNA could have been scooped up by the attacker.

23andMe’s breach notifications laid out the type of data that could have been stolen. Basic profile information that was likely to have been exfiltrated in the event of a compromise included last login data, relationship labels (masculine, feminine, neutral), predicted relationships such as great aunt, percentage of DNA shared, and the account display name.

Display names are configurable on 23andMe, with a range of options available from full names to just the first initial of each name.

Optionally, users can also choose to share additional information with those who share their DNA, including ancestry reports, matching DNA segments (what chromosomes match), location, ancestor birth locations, family names, profile picture, birth year, family trees, and personal bios.

Credential stuffing attacks can in some cases be difficult for organizations to detect given the compromised accounts were accessed using the proper credentials, though there are various controls that can be implemented to help spot malicious activity.

Endpoint solutions can pick up on single sources trying to log into accounts en masse, for example, and that IP address can then be blocked, preventing further intrusion attempts.

But the main way to stop credential stuffing in its tracks is to just enable two-factor or multi-factor authentication, as has been the advice of the industry for god knows how long now.

23andMe only started mandating 2FA by default in November, a month after it detected the breach.

In letters sent to lawyers representing 23andMe breach victims, the biotech firm said the breach was caused by user negligence, denying all allegations that its alleged security failures were instead the leading cause.

The letter read: “As set forth in 23andMe’s October 6, 2023 blog post, 23andMe believes that unauthorized actors managed to access certain user accounts in instances where users recycled their own login credentials – that is, users used the same usernames and passwords used on 23andMe.com as on other websites that had been subject to prior security breaches, and users negligently recycled and failed to update their passwords following these past security incidents, which are unrelated to 23andMe. Therefore, the incident was not a result of 23andMe’s alleged failure to maintain reasonable security measures under the CPRA.

The leak of the “blame game” letter predictably prompted many in the infosec industry to rally against 23andMe, citing the lack of 2/MFA at the heart of their criticisms of the stance.

Others sided with the company, saying the users were indeed at fault for not changing their login credentials after they were compromised in a previous breach – a breach about which they were most likely alerted over email. One likened it to deliberately crashing a car into a tree and blaming the car manufacturer.

This all came after the company tried to limit victims’ ability to launch legal action by changing its terms of service. It controversially introduced a new 60-day dispute resolution period that stipulated aggrieved customers must first attempt to resolve a dispute informally before pursuing their legal options.

23andMe did not immediately respond to a request for a statement. ®

Source