23andMe user data stolen, offered for sale

Information belonging to as many as seven million 23andMe customers has been put up for sale on criminal forums following a credential stuffing attack against the genomics company.

On Friday October 6, 2023, 23andMe confirmed via a somewhat opaque blog post that threat actors had “obtained information from certain accounts, including information about users’ DNA Relatives profiles.”

The company says cybercriminals stole profile information that users had shared through its DNA Relatives feature, an optional service that lets customers find and connect with genetic relatives who have also signed up to DNA Relatives. It does not explain what data was stolen, or how much of it, but it does indicate that crooks pulled off the heist “where users recycled login credentials”, and not because of a vulnerability in its systems.

We do not have any indication at this time that there has been a data security incident within our systems, or that 23andMe was the source of the account credentials used in these attacks.

In other words, cybercriminals succeeded in getting access to a number of 23andMe accounts where users had used the same password on both 23andMe and a website that had suffered a data breach. Accessing accounts on a website by using lists of usernames and passwords exposed on another is known as “credential stuffing”, and it’s both common and effective. It works because users often use the same password for multiple websites. However, the damage seems to go far beyond the accounts with reused passwords.

It seems the attackers didn’t simply steal the data belonging to the accounts they broke into—they used those accounts to access a much larger trove of data via DNA Relatives. According to Bleeping Computer, “the number of accounts sold by the cybercriminal does not reflect the number of 23andMe accounts breached.”

The Record reports that the stolen data does not include genomic sequencing data, but does include “profile and account ID numbers, names, gender, birth year, maternal and paternal genetic markers, ancestral heritage results, and data on whether or not each user has opted into 23AndMe’s health data.”

The stolen data is only worth something in so far as it can be used to extract money from somebody, so we expect it will be used in social engineering attacks, like scams and phishing. Users of 23andMe are likely to be the targets, so if that includes you, take extra care when answering messages about or apparently from 23andMe. We suggest you visit the website directly to get information and guidance, don’t follow links or download attachments from emails saying they’re from 23andMe, and follow our simple guide to spotting any scam.

23andMe is urging its users to ensure they have strong passwords, to avoid reusing passwords from other sites, and to enable multi-factor authentication (MFA).

Respectfully, we would like to see 23andMe reach a different conclusion. Telling users to choose strong passwords and not to reuse them is great advice that just isn’t working. It’s good in theory but fails in practice. In a world where users have tens or even hundreds of logins to manage, password reuse and weak passwords that are easy to remember are inevitable.

The company is right to emphasise the enormous usefulness of MFA, but rather than asking users to turn it on, why not just make it mandatory? MFA is, by far, the most useful thing you can do to stop credential stuffing, and if it’s switched on it protects users from their bad password habits like reuse.

In 2019, Microsoft’s Alex Weinert wrote that “Based on our studies, your account is more than 99.9% less likely to be compromised if you use MFA.” You won’t find another technology that gets close.

As 23andMe says in its own blog post, “Since 2019 we’ve offered and encouraged users to use multi-factor authentication.” The company deserves credit for offering MFA, but the scale of this attack against it suggests that not enough users are making the choice. The only way to make MFA the norm is to insist on it instead of ask.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.