January 26, 2024 at 11:03AM
23andMe admitted to failing to detect malicious activity for 5 months while attackers exploited user accounts using credential stuffing techniques. The breach exposed data from 6.9 million individuals with DNA Relatives enabled. The company started mandating two-factor authentication only after the breach, and blamed users’ negligence for the incident. The response prompted criticisms and controversies.
Certainly! Based on the meeting notes, the key takeaways are:
1. 23andMe experienced a significant data breach due to a failure to detect malicious activity for a period of five months, allowing attackers to access user accounts using credential stuffing techniques.
2. The breach impacted 14,000 accounts with the DNA Relatives feature enabled, ultimately exposing the data of 6.9 million individuals.
3. The compromised data included basic profile information such as last login data, relationship labels, predicted relationships, percentage of DNA shared, account display names, and additional optional information like ancestry reports, matching DNA segments, and personal bios.
4. 23andMe only implemented two-factor/multi-factor authentication (2FA/MFA) by default a month after detecting the breach, and initially attributed the breach to user negligence, claiming that users failed to update their passwords following prior security incidents unrelated to 23andMe.
5. The company’s attempt to limit victims’ legal options through changes in its terms of service and its controversial introduction of a new 60-day dispute resolution period has sparked criticism and backlash from the information security industry.
These takeaways highlight the impact of the breach, the delayed implementation of 2FA/MFA, and the controversy surrounding the company’s response and actions.