23andMe and Hack
What is 23andme?
23andMe is a direct-to-consumer genetic testing company founded in 2006. This company offers individuals the opportunity to explore their genetic ancestry and gain insights into their health traits through advanced DNA analysis.
What happened?
In early October A credential stuffing attack was used against the platform to compromise 14,000 user accounts. Due to how sharing on the platform works, those accounts allowed attackers to view information on 5.5 million DNA relatives profiles and 1.4 million family tree profiles.
Credential stuffing is when an attacker runs an automated attack against a login form trying to guess username and passwords. Often they will try compromised credentials from other breaches.
FAllout
Catalin Cimpanu at Risky Business News reported that 23andMe has rolled out new terms of services looking to get ahead of any litigation access users might bring against the company.
23andMe tells victims it’s their fault that their data was breached by Lorenzo Franceschi-Bicchieral at Tech Crunch - This is not going to look good for the company. While the attack was not some vulnerability or a social engineering attack it’s still never good to blame people for having weak passwords. There are so many passwords that have to be managed that it's on websites to make it easier for people to login and put the proper protections in place to help prevent this type of attack.
How to stay safe
Avoid using the same password across multiple sites.
Password managers are great for creating strong and unique passwords.
Double check the sharing permissions on a site.
Sharing is caring but not if it can be used against you.
Links
23andMe confirms hackers stole ancestry data on 6.9 million users - by Lorenzo Franceschi-Bicchierai - TechCrunch - December 2023