23andMe User Data Stolen in Credential Stuffing Attack
The San Francisco, CA-based direct-to-consumer genetic testing company, 23andMe, confirmed on Friday that the sensitive of some of its users has been stolen, following reports that user data was being offered for sale online. 23andMe confirmed that its systems were not breached and said users’ genetic data remains secure; however, there has been unauthorized access to some customer accounts. Individual accounts were compromised in what appears to have been a credential stuffing campaign that exploited users’ poor password practices, based on 23andMe’s preliminary investigation. 23andMe said it is currently working on confirming the preliminary results of its investigation, and third-party digital forensics experts have been engaged to ensure that its systems are secure.
The compromised user accounts were scraped, and the threat actor obtained data from 23andMe profiles, including data from its DNA Relatives feature. This opt-in feature allows users to share their information with other users of the platform to find distant genetic relatives and includes broad descriptions of users’ genetic makeup, but no raw data. The extent of data theft has not been confirmed by 23andMe, nor the number of customers that have been affected. 23andMe said it actively and routinely monitors customer accounts for suspicious activity and investigates and validates the data from those processes to determine if there has been unauthorized access to customer accounts. 23andMe is actively investigating this incident, has notified law enforcement about the attack, and will notify the customers concerned if it is determined that their accounts have been accessed by unauthorized individuals. In an October 9, 2023, update, 23andMe said it has reset passwords on all user accounts as a precaution and said it encourages all users to ensure that multifactor authentication is enabled on their accounts.
Stolen Data Offered for Sale on the Dark Web
On October 4, 2023, an X user (@DarkWebInformer) tweeted about a 23andMe data leak. A CVS file was leaked on a dark web forum which claimed to include a profile list of around half of 23andMe’s customers – around 7 million individuals. According to the listing, “these members have technical details such as their origin estimation, phenotype and health information, photo and identification data, and their last login date to the site.” The poster claims to have around 13 million pieces of user data and said, “If company management doesn’t announce a data breach within 24 hours, the data will start to be shared.” The dark web post also states that accounts were not breached in an effort to manipulate stock prices, and claims that company management at 23andMe was aware of a data breach 2 months ago and started a quick sale of their stock before news of the hacking spread, and said the hacking incident was not shared with investors or the SEC. 23andMe responded to the tweet the same day and confirmed that an investigation had been conducted into a potential data breach, and 23andMe published a blog post about the account breaches on October 6, 2023. 23andMe has not responded to the claims about the alleged data breach 2 months ago and the hacker’s claims have not been verified.
Data allegedly stolen in the attack is now being offered for sale. One post offers a dataset that includes more than one million data points about Ashkenazi Jews, while another dataset has been leaked that includes information on around 300,000 23andMe users of Chinese descent. The data includes basic information on users such as names, dates of birth, sex, birth year, and some information about genetic ancestry. Raw genetic data does not appear to have been obtained.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
While the data being offered for sale relates to specific groups of users, it is unclear whether these individuals were specifically targeted. The data being offered for sale could be part of a larger dataset that has been sorted and packaged, with the individuals in each of these data sets having been identified as having genetic traits from these populations. There are 47 genetic populations on the platform, and users are informed about the percentage of their DNA that comes from each population. The dataset appears to include users with Ashkenazi/Chinese in their top three.
The threat actor is also offering data packs for sale which contain, “tailored ethnic groupings, individualized data sets, pinpointed origin estimations, haplogroup details, phenotype information, photographs, links to hundreds of potential relatives, and most [crucially], raw data profiles”. The DNS profiles in the data packs “[range] from the world’s top business magnates to dynasties often whispered about in conspiracy theories,” and allegedly include corresponding email addresses. The data profiles are listed for $1,000 for 100 profiles, $5,000 for 1000 profiles, $20,000 for 10,000 profiles, and $100,000 for 100,000 profiles. While 23andMe has confirmed that customer data has been stolen from accounts, 23andMe has not verified the hacker’s claims nor verified the data in the samples that have been published.
“Data leaks no matter what information was leaked, is truly an invasion of personal privacy. The main differentiator between what we see from a typical leak (passwords, credit card numbers, email addresses, etc.) and genetic information is the ability to change or rotate what was compromised. Someone cannot just simply change their genetic code, like they can an email address or password. The inherent risk of your genetic information being exposed is low, until some cybercriminal wants to exploit that. This would be to discriminate, target, or harass an individual(s) based on their religion, ancestry tree, skin color, or where they were descended from,” BigID’s Sr. Manager of Cloud Security, Kyle Kurdziolek, explained to The HIPAA Journal.
Credential Stuffing Exploits Poor Password Practices
Credential stuffing is an attack where credentials obtained from a data breach on one platform are used to access accounts on an unrelated platform. This method of attack can only succeed if passwords have been reused on multiple platforms. While setting unique passwords for all accounts is one of the most important password best practices, password reuse is incredibly common.
The 2023 Verizon Data Breach Investigations Report suggests that 80% of successful data breaches are due to the use of compromised passwords, and 75% of users take risks with passwords such as not following industry-recommended password practices. Only 25% of respondents to the survey said they set strong, unique passwords for all of their accounts. A recent AT&T study found that 42% of respondents reuse passwords across multiple accounts. If a password is obtained in a data breach, it can be used to access all other accounts that share the same password.
The username and password combinations used in credential stuffing attacks can often be purchased cheaply on dark web hacking forums and these attacks are common. Earlier this year, customers of the Amazon-owned online pharmacy, PillPack, were targeted in a credential stuffing campaign. Over a period of 4 days in April, more than 19,000 customer accounts were subjected to unauthorized access. United HealthCare (UHC) patients suffered a similar attack in February when the UHC mobile application was targeted.
Multifactor authentication (MFA) adds an additional layer of protection against credential stuffing, phishing, and brute force attacks on accounts and protects accounts against unauthorized access if account credentials are obtained. The 23andMe accounts that were compromised in this attack appear not to have had MFA enabled. Implementing MFA and adhering to password best practices are two of the four key cybersecurity measures being promoted this Cybersecurity Awareness Month. The attacks on PillPack, UHC, and 23andMe accounts highlight just how important these two cybersecurity measures are.
“The latest 23andMe credential stuffing attack underscores the need for account protection tools that can withstand attacks from sophisticated bots. Credential stuffing relies on the all-too-common issue of password reuse to gain access to online accounts. With 81% of individuals reusing passwords or using similar passwords for multiple accounts, malicious threat actors with access to a list of leaked credentials have an easy time finding valid login and password combinations,” said Antoine Vastel, PhD, Head of Research at online fraud and bot mitigation company, DataDome.”23andMe proposed 2FA to their users, which means they had a way to secure their account with it. However, it’s difficult to make users adopt 2FA. It’s counterintuitive for a lot of people, and may be difficult to set up for non-tech-savvy users. And because it impacts UX, it’s not often enforced (except when the law forces websites to have default 2FA). This demonstrates the need for seamless and transparent bot detection techniques.”
On October 9, 2023, a lawsuit was filed against 23andMe alleging the company was negligent for failing to protect customers’ data.
On December 1, 2023, 23andMe confirmed in an SEC filing that approximately 14,000 user accounts were compromised in the credential stuffing attack, through which the personal data of approximately 6.9 million users was accessed via the DNA Relative feature.
Attack Was Not a HIPAA Breach
While the information obtained from users’ accounts would be classed as protected health information (PHI) if it was collected by a HIPAA-covered entity, companies that offer direct-to-consumer genetic testing services are generally not HIPAA-covered entities and are therefore not subject to the HIPAA Rules. That does not mean that they are not required to implement cybersecurity measures to ensure that the information they collect, process, and store is safeguarded. For instance, companies such as 23andMe are required to comply with the FTC regulations and must not engage in deceptive trading practices, and if there is a breach of health information, they must issue notifications in accordance with the FTC’s Health Breach Notification Rule. In the summer of 2023, the FTC took action against 1Health, a San Francisco, CA-based vendor of DNA test kits and personalized diet and exercise plans based on genetic testing. The FTC alleged sensitive genetic and health data had been left unsecured, and claimed 1Health deceived customers about its data-sharing practices. The case was settled for $75,000.
Many states now have consumer data protection laws, several of which specifically include genetic data. The extent to which these laws and regulations apply is currently unclear as there does not appear to have been a data breach at 23andMe. Customer accounts were compromised as a result of poor security and password practices of its users. 23andMe recommends users set a strong and unique password for their account and ensure that multifactor authentication is enabled. “Since 2019 we’ve offered and encouraged users to use multi-factor authentication (MFA), which provides an extra layer of security and can prevent bad actors from accessing an account through recycled passwords,” said a spokesperson for 23andMe.
Data breaches at DNA testing companies are investigated by regulators and fines have been issued for security and data breach notification failures. The DNA testing company, DNA Diagnostics Center, suffered a data breach in 2021 that affected 2.1 million individuals. The breach was investigated by the state attorneys general in Pennsylvania and Ohio who found the company had failed to implement reasonable and appropriate cybersecurity measures, had made unfair and deceptive statements about its cybersecurity program in its privacy practices and failed to employ reasonable measures to detect and prevent data breaches. The case was settled for $400,000.
Data breaches often trigger class action lawsuits. The clinical genomic diagnostics vendor Ambry Genetics suffered an email data breach in January 2020 that affected almost 233,000 individuals. While Ambry Genetics appears to have avoided regulatory fines over the data breach, several class action lawsuits were filed by the individuals affected. The consolidated class action was settled for $12.25 million.
