23andMe: Data Breach Was a Credential-Stuffing Attack

23andMe: Data Breach Was a Credential-Stuffing Attack

December 4, 2023 at 04:13PM

23andMe reported a data breach affecting 0.1% of users, resulting from a credential-stuffing attack. Compromised data included personal genetic information. The company has since increased security measures and faces class action lawsuits, expecting to spend $1-2 million due to the breach. Security experts emphasize the need for robust cybersecurity.

Clear Takeaways from Meeting:

1. Data Breach Details:
– Data breach occurred in October at 23andMe, with user information being accessed and downloaded.
– On Oct. 1, a threat actor claimed to have 23andMe user profile information, later releasing 4 million more records.
– The company undertook an investigation with third-party experts.
– The breach affected a small percentage of user accounts (0.1%).
– The breach was a result of a credential-stuffing attack, using previously stolen credentials from other sites.

2. Information Compromised:
– Compromised data includes ancestry and health information varying by user.
– Access was also gained to DNA Relatives feature information, which was posted online.

3. Company Response:
– Believes the threat actor’s activity has been contained.
– Notifications sent to impacted individuals.
– Password change required for users, and the introduction of two-step authentication.

4. Financial Impact:
– Multiple class action lawsuits filed.
– Projected $1 million to $2 million in related expenses for the third fiscal quarter.

5. Expert Commentary:
– Javvad Malik from KnowBe4 emphasized the threat’s seriousness, given the sensitive nature of the genetic data involved.
– Highlights the need for strong cybersecurity, unique passwords, and multifactor authentication.
– Stresses on the company’s responsibility to constantly improve security measures and educate users on security practices.

Full Article