Privacy commissioners slam 23andMe for huge data theft from credential stuffing

Preliminary report says there were three signs of an intrusion missed before it was finally detected in October, 2023

Gentetics testing firm 23andMe didn’t have adequate safeguards to prevent a 2023 credential stuffing attack that resulted in the theft of sensitive personal information of almost 7 million people, say the privacy commissioners of Canada and the U.K., who conducted a joint investigation into the hack.

The report can be seen as a guideline — and warning — to CEOs, CISOs and CPOs and other corporate infosec and privacy workers on how to best protect data.

The preliminary report issued today by Privacy Commissioner Philippe Dufresne of Canada and U.K. Information Commissioner John Edwards said the hacker used stolen log-in details (username or email address and password) from other websites impacted by previous breaches and then “stuffed” these credentials into 23andMe’s log-in page until they found matches.

23andMe provides direct-to-consumer genetic testing and ancestry services. Data copied and then offered for sale included information on almost 320,000 people in Canada and 155,600 people in the UK. Depending on the individual, the personal information pulled from a customer’s DNA could have related to health, race and ethnicity, as well as information about relatives, date of birth, sex at birth and gender.

The breach was so massive because customers could opt into a DNA Relatives (DNAR) feature, which allowed them to share information (such as relationship, year of birth, percentage of DNA shared with their matches, location, etc.) with genetic relatives. If this feature was activated in an account, personal information accessible to the hacker could also include the personal information of thousands of other individuals to whom the owner of the credential-stuffed account was genetically linked.

Leveraging stolen login credentials is one of the most common ways breaches of IT security controls start. According to the latest annual Verizon Data Breach Investigations report — which looks into thousands of incidents — 22 per cent of the 9,800 breaches it investigated involved credential abuse as an initial factor in the hack. Credential abuse was the leading initial factor, ahead of exploitation of vulnerabilities. Threat actors accumulate and then sell huge lists of stolen usernames and passwords to each other for use in hacks. That’s why technologies such as mandatory multi-factor authentication (MFA), the use of biometrics (like fingerprint readers) or security keys (like the Yubikey or Google Titan) are vital first line defences against stolen credentials.

Among 23andMe’s failures cited in the report

—no mandatory MFA as an extra step for login protection to prevent the exploitation of a stolen username and password. It was only an option. Less than 22 per cent of 23andMe customers had opted into either MFA or Single Sign-On;

—inadequate minimum password requirements. 23andMe required that the password be a minimum of only eight characters, with minimal complexity requirements. The U.K. ICO recommended a minimum of 10 characters. Other standards say the minimum should be more;

—inadequate compromised-password checks. 23andMe did not perform robust checks to verify if customers were reusing credentials that had been compromised in previous data breaches;

—no additional protections to access raw DNA data. Once an account was accessed, there were no additional identity verification measures in place to protect the most sensitive personal information, including raw DNA data, from being accessed and downloaded from an account;

—ineffective detection systems. 23andMe’s detection mechanisms failed to alert the company to clear signals that a hacker was attempting to gain, and had obtained, unauthorized access to large numbers of customer accounts;

—insufficient logging and monitoring of suspicious customer activity for detecting anomalous user behaviours indicative of unauthorized access. Nor could customers see what IT devices had been, or were currently being used to access their account;

—inadequate investigation of anomalies. “23andMe missed opportunities to identify and prevent, or at least interrupt, the attack,” says the report. “There were three distinct events that occurred during the period of the ongoing attack that, when viewed collectively, should have led 23andMe to detect the ongoing attack prior to October 2023. This could have, in turn, allowed 23andMe to prevent thousands of additional accounts from being subject to credential stuffing.”

'“Despite the urgency of the situation – and 23andMe being aware of the credential-based attack, which was potentially ongoing – it took the company four days to disable all active user sessions and implement a password reset for all customers,” the report adds. “Furthermore, it took 23andMe approximately one month to disable the self-service raw DNA download feature and implement mandatory MFA. The absence of established protocols for responding to a credential stuffing attack may have contributed to these delays.”

23andMe has told the OPC and U.K. ICO that it has since made a variety of information security improvements.

On March 23rd in the face of mounting financial losses 23andMe Holding Co. and certain of its subsidiaries, including 23andMe, filed for Chapter 11 bankruptcy under the US Bankruptcy Code. According to Reuters, a non-profit headed by 23andMe co-founder Anne Wojcicki has offered to buy the company for US$305 million in a bankruptcy auction.

“The breach at 23andMe highlights the importance of taking proactive steps to protect against cyber attacks – and the significant negative impacts that breaches can have for individuals,” says the privacy commissioners’ preliminary report.

“A key starting point is identifying potential threats and the risk of harm associated with them. When the personal information at issue is highly sensitive, the safeguards should be more robust as there is a heightened risk of harm.

“Credential-based attacks such as ‘credential stuffing,’ are among the most common and well-known threats targeting web applications. Organizations should ensure that their customers’ online accounts are protected against such attacks by safeguards appropriate to the sensitivity of the personal information at risk.”

Experts stress that an MFA solution alone isn’t enough. It must be phishing-resistant MFA, a solution that reduces the odds an employee falling for a phishing lure gives away their username and password. MFA — the sending of a four- or six-digit code a user has to enter in addition to their username and password — shouldn’t be sent to a smartphone via a text message. Text messaging services can be hacked. The best way the code should be sent is through an authenticator app like Google Authenticator, Microsoft Authenticator (or the corporate version Microsoft Entra, Authy, Cisco Systems’ Duo or similar apps.