According to reports, the personal information of nearly 6.9 million users has been accessed by hackers of 23andMe.

In early October, the popular genetic testing company discovered that a threat actor accessed a select number of individual 23andMe.com accounts through a process called credential stuffing.

“That is, usernames and passwords that were used on 23andMe.com were the same as those used on other websites that have been previously compromised or otherwise available,” the company said in a statement on their website. “We do not have any indication that there was a data security incident within our systems, or that 23andMe was the source of the account credentials used in these attacks.”

Threat research recently released by Resecurity confirms an increased interest to organizations storing PII and genetic information specifically. According to the research, it was observed that more than 11,387 records containing customer artifacts exposed in Dark Web contained reference to 23andme.

“In context of 23andme incident, it is definitely important to differentiate between a possible data breach on the company side (what can be determined only in the result of throughout investigation and digital forensics performed independently) and actual account takeover (ATO) activity happening on customer side regardless from it,” the report states.

In a letter addressed to one of the lawyers representing victims of the hack, and shared with news outlets, 23andMe states that “unauthorized actors managed to access certain user accounts in instances where users recycled their own login credentials” used on other websites that had been subject to security breaches. The letter continues saying users “negligently recycled and failed to update their passwords following these past security incidents, which are unrelated to 23andMe.”

Because of this, the company contends in the letter that “the incident was not a result of 23andMe’s alleged failure to maintain reasonable security measures under the CPRA.”

Security leaders weigh in

Ken Westin, Field CISO, Panther Labs:

Placing blame on end users for large-scale security incidents is never a good move. This move by 23andMe feels more like something that lawyers cooked up to avoid liability in the short-term without consideration for the long term consequences or real reflection by the company regarding their security practices. Given the nature of 23andMe's business, trust is a key component of their go-to-market strategy, so it will be interesting to see how the market responds to this approach. I believe it will have a detrimental effect and have a larger impact on the business as a result. How organizations respond to security incidents can have a more significant impact than the original breach if it is not handled responsibly.

Justin Wynn, Director Red Team Operations at Coalfire:

It is important to recognize the responsibilities that companies have in protecting user data and the immorality of deflecting blame in situations where adequate security measures could have been implemented. While users should use strong, unique passwords, the onus is on the company to have robust security measures in place to safeguard data and detect unauthorized account access. An attack of such magnitude, over 6.9 million accounts could have been easily detected or mitigated in a number of ways. Multifactor authentication, monitoring login attempts, rate limiting and lockouts and IP anomaly detection all come to mind.

Steve Moore, Vice President & Chief Security Strategist, Exabeam:

There’s accountability on both sides, and it’s always easy and unfair to play Monday morning quarterback. The letter was direct, a tone which didn’t shock me but wasn’t the warmest message one could receive.   

Your identity, the username and password, will always be stolen, traded, sold and reused — as seen here. This credential-stuffing style attack, which leverages account information from prior breaches, is not uncommon and should be well understood by both the service provider and the customer. The use of credentials is still the number one method of success for adversaries and will continue to be in 2024; attempting to prevent and know how to detect and respond are critical capabilities.  

This represents a very fine line in breach reporting. If a company suffers a breach and records are lost, that’s a breach. However, if they manage a customer portal and a customer's account is accessed by an organized adversary due to a reused password by a customer (from a prior breach), is that the same, and does this change if performed at scale?  At a minimum, this requires detection and notification logic by the defender.

Moving forward, 23andMe must have requirements on customer registration that discourage or even block the use of weak passwords; additionally, a secondary authenticator that avoids SMS should be an additional feature — their clients should welcome this.

Darren Guccione, CEO and Co-Founder at Keeper Security:

All organizations have an inherent obligation to protect their users and their users’ data. In this case, cybercriminals were able to access highly sensitive personal data including names, birth year, relationship labels, the percentage of DNA shared with relatives, ancestry reports and self-reported location. Companies that are the custodians of critical information such as this require an even higher bar for security and monitoring than other types of organizations. Companies should regularly audit their data inventory to not only ensure compliance, but to also make sure that they are only retaining the sensitive data that is required.

Attributing isolated responsibility to users often overlooks a pervasive responsibility of an organization to implement robust security measures and facilitate cybersecurity best practices among its users. Generally, there is a fiduciary obligation for organizations to protect collected, sensitive and confidential information of its users, employees and other stakeholders. Aside from robust internal controls and technology applications to protect privacy, security and confidentiality of sensitive digital assets, strong password requirements and mandatory multi-factor authentication are two critical measures that can protect user accounts. 74% of breaches involve the human element — with the majority consisting of stolen or weak passwords, credentials and secrets. Password management software applications serve this purpose.  

To shore up their defenses, organizations that manage sensitive information should implement a zero-trust security architecture and comprehensive password security controls, enable 2FA on every account that supports it and implement a password manager organization-wide. Privileged access management is also an important tool to limit the blast radius of an attack by limiting lateral movement if a threat actor is able to gain access to an organization’s networks.

A culture of shared responsibility for security, where both the organization and its users play a role, can promote a resilient and secure environment, which is why users must advocate for their own cybersecurity as well. It is imperative for everyone to practice good cyber hygiene by using strong and unique passwords for all accounts on every device. To achieve this, it is essential to use a password manager - this will create high-strength random passwords for every website, application and system and further, will enable 2FA to protect against remote data breaches.  A password manager is a critical first-line of defense against ransomware and the most common attack vectors in a data breach.