What the 23andMe Data Breach Reveals About Credential Stuffing

December 07, 2023 - Genetic testing company 23andMe notified 6.9 million individuals that their personal information was compromised in October 2023. However, 23andMe had no evidence that there was a data security incident within its systems. Instead, threat actors leveraged credential stuffing, a tactic in which hackers use stolen login information from one account to gain access to other accounts with the same passwords.

Threat actors using stolen credentials do not have to worry about evading advanced threat detection systems or deploying sophisticated ransomware – they can simply log in to a user’s account using the stolen username and password.

As such, strong cyber hygiene on the consumer side is crucial to preventing this type of attack. But beyond raising awareness, what can organizations do to enforce proper cyber hygiene for their customers or patients and reduce the risk of credential stuffing?

HealthITSecurity recently spoke with experts from digital health risk assurance firm First Health Advisory to discuss the unique details of the 23andMe incident, the threat of credential stuffing, and what actions organizations can take now to mitigate the threat.

23andMe Data Breach Details

On October 1, a threat actor posted online claiming that they had accessed and obtained 23andMe users’ profile information. The company immediately launched an investigation that determined that the threat actor had accessed 0.1 percent of user accounts, or 14,000 accounts, using credential stuffing tactics.

The information accessed in the breach varied by individual but may have included ancestry information, family tree information, and some health information based on the user’s genetics. The threat actors reportedly targeted minority groups with this breach by posting highly specific information about people of Ashkenazi Jewish and Chinese descent on the dark web, garnering attention from lawmakers.

“Using this access to the Credential Stuffed Accounts, the threat actor also accessed a significant number of files containing profile information about other users’ ancestry that such users chose to share when opting in to 23andMe’s DNA Relatives feature and posted certain information online,” a Form 8-K Securities and Exchange Commission (SEC) filing stated.

Essentially, by accessing 14,000 accounts, the threat actors were able to access millions more profiles based on users’ participation in the DNA Relatives feature.

“We're dealing with a circumstance where essentially credentials were stolen from other breach events, and when the users were using usernames and passwords across a million systems, that's how the bad guys ended up getting access, as we understand it,” said Buddy Hickman, chief strategy officer at First Health Advisory.

Following the breach, 23andMe temporarily disabled some features within the DNA Relatives tool and required its users to reset passwords and enable multifactor authentication.

Hickman noted that 23andMe is not a healthcare provider nor a business associate under HIPAA, even though it maintains DNA information. Rather than being regulated and tracked through HHS channels, the breach would fall under the purview of the SEC or the Federal Trade Commission (FTC), he added.

Even so, HIPAA-covered entities and non-covered entities that maintain health data can learn from this incident and apply defensive strategies to reduce risk.

Credential Stuffing Points to Need for Increased Consumer Awareness

“In essence, it is the most basic form of an attack on an unaware user. And it's just going to continue as users recycle the same usernames and passwords across multiple sites,” said Matt Dimino, chief security officer at First Health Advisory.

“The implications can then have a cascading and downstream effect on those same users where not only do the hackers have their personal information, they can use that for all kinds of reconnaissance to family members and everyone else. It's just a waiting game of how long before a breach will impact each one of those individual users.”

The 23andMe breach exemplified the effects that poor cyber hygiene by end users can have on data security. What’s more, the breach’s impact was expanded since access to one account gave hackers further access to other user profiles via the DNA Relatives feature.

Multi-factor authentication (MFA) often emerges as a sensible solution to this issue. The cornerstones of authentication revolve around three factors: something you know, something you have, and something you are. While single-factor authentication requires the user to identify only one of those factors, MFA necessitates that users produce two or more factors, such as a password and a security token, or a pin number and a fingerprint.

“Multi-factor authentication is relatively strong. It's the bypassing that creates problems. Users feel that they don't need to because, for one, they feel like it impedes their login time,” Dimino noted.

“But over the last several years most organizations and tech companies have found a way to make it so seamless. Downloading a simple piece of information or it takes seconds to do multi-factor authentication. So the impediment really isn't realistic, and I think many folks are unaware to some degree of what multi-factor authentication really is and what it means for them.”

Improving cyber hygiene as an individual comes down to following password length and complexity best practices, leveraging multi-factor authentication, and taking care when providing any personal information on the internet.

Dimino recommended that end users leverage at-home security tools to check whether their information has been breached anywhere and take action to update passwords if it has.

“I think we look for instant gratification. We want to see results. So, we're willing to put ourselves at risk by entering, showing, and showcasing lots of pertinent personal information to get something in exchange,” Dimino suggested.

“And we're taking for granted what the industry is doing with that data and how they're protecting that. But we're also driving these issues as consumers because we're unaware and we're not practicing good cyber hygiene. And until there's changes in that matter, it'll continue.”

Steps to Mitigate Risk Now

While user awareness and proper cyber hygiene is important, organizations and service providers must also take responsibility for protecting user data and safeguarding credentials as much as possible.

Following the data security incident, 23andMe required all users to reset their passwords and later required all new and existing users to use two-step verification when logging in to the website going forward.

In addition to regular password updates and multi-factor authentication, Hickman and Dimino suggested that companies in a similar position strengthen these mechanisms by setting up alerts to notify users of unusual activity.

“For example, companies like 23andMe could use audit and traceability when they see erroneous behavior or unnatural behavior of a particular user,” Dimino suggested. “If the account is being accessed from another country, or what they're trying to access is out of the norm of baseline from that user, that should flag a user. That should flag information that a user should be aware that this doesn't look right and prompt them to verify.”

Another approach is enabling threat detection and monitoring tools, Hickman recommended. If data is being exfiltrated in a large volume, that should set off alerts to the company that a threat actor has gained access. Even so, Hickman and Dimino noted that this method is not foolproof, especially when it comes to credential stuffing in which threat actors might take bits of data at a time to avoid detection.

Other cornerstone security tactics include maintaining a strong incident response plan, remaining transparent with privacy policies, and strengthening third-party risk management strategies.

“There's a strong set of different practices that they need to deploy and employ. And it should be everything from the way users connect to the way you're storing data,” Dimino continued.

“If you're tasked with holding onto a large repository of data, where is it? What are you doing with it? How often is it being accessed? It is a matter of following a framework and aligning with specific practices and standards, and then truly testing that and documenting it.”

Credential stuffing is impossible for any single organization to completely prevent, as it requires users and service providers to be aware of it and take steps to mitigate the threat. However, companies that maintain sensitive data can begin by sharpening authentication practices.

Since the 23andMe breach occurred, similar genetic testing companies have already taken action to strengthen security, WIRED reported. Both Ancestry and MyHeritage have recently begun encouraging or requiring multi-factor authentication on their sites.

Whether an organization is a HIPAA-covered entity or another type of organization that maintains sensitive data, threat actors have made it clear that they will keep trying to gain access and obtain that data, no matter the consequences. With this in mind, it is crucial that companies and consumers take action to mitigate risk.

“I don't want to keep putting it back on the users, but that's where I see a big push and a big swing to support the industry as a whole,” Dimino added. “Even when we log into our portals for our personal health information with our hospitals and our caregivers, we expect them to maintain that to the same degree. And they do. They maintain high standards on that. But if we practice poor hygiene on our end, it's very easily circumvented. And that's why we continue to see those types of breaches.”