23 And Me Data breach
23andMe’s Data Breach: Unraveling the Controversy
- In today’s digital landscape, few predicaments are as harrowing as a data breach, particularly when it involves an organization entrusted with some of the most personal and sensitive information available on the internet.
- 23andMe, the renowned DNA testing titan, has recently acknowledged that it has fallen prey to the sinister clutches of hackers, leading to the illicit acquisition of user data.
- The magnitude of this breach becomes even more pronounced when we consider that this company houses information of a nature far more intimate than your run-of-the-mill email address or phone number; it retains genetic data, a window into the very essence of one’s biological identity.
Unveiling the Shocking Revelation: Stolen User Data
First brought to light by Wired and subsequently substantiated by 23andMe, the breach’s gravity comes into full view. What precisely does this breach entail?
The disconcerting reality is that the purloined data is now available for purchase on a platform known as BreachForum, where the responsible hacker solicits a fee ranging from $1 to $10 per compromised account.
Source: BleepingComputers
BreachForum’s Information Cascade
Adding to the disconcertment, the pilfered data seems to be meticulously tailored to target Ashkenazi Jews, encompassing over a million data points closely tied to individuals of this specific group. Furthermore, the data corpus includes information from hundreds of thousands of users of Chinese descent, unearthed within the hackers’ provided sample data.
Source: BleepingComputers
The Unraveling of the Data Breach Mechanism
Curiosity might lead you to ponder how this breach was orchestrated, especially when 23andMe adamantly claims that it wasn’t a conventional breach. According to the company, the breach wasn’t a result of direct compromise of their security systems. Instead, the malevolent actors managed to infiltrate the system by surreptitiously guessing users’ login credentials.
The Method: Credential Stuffing Attack
This sinister method employed by the hackers is dubbed "credential stuffing." In this approach, data gained from previous breaches is exploited to gain unauthorized access to different platforms, exploiting users who regrettably reuse passwords across multiple websites.
Once within the system, the hackers exploited a feature known as "DNA Relatives," which allows users to opt into sharing additional data with their family and friends. This provided the hackers with the opportunity to amass even more sensitive information about users.
In the company's own words:
“We were made aware that certain 23andMe customer profile information was compiled through access to individual 23andMe.com accounts. We believe that the threat actor may have then, in violation of our terms of service, accessed 23andme.com accounts without authorization and obtained information from those accounts.”
Adding to the disconcertment, a hacker recently disseminated an additional 4.1 million pilfered 23andMe genetic data profiles, affecting individuals in Great Britain and Germany. The company attributes these breaches to credential stuffing attacks on accounts secured by weak passwords or credentials that had previously been exposed in other data breaches.
Despite 23andMe’s assertion that there is no evidence of a security breach within their IT systems, the breach ensued due to a limited number of accounts choosing to partake in the ‘DNA Relatives’ feature. This seemingly innocuous choice inadvertently precipitated a colossal data leakage with enduring repercussions.
Unfolding Consequences: The Ongoing Fallout
In the aftermath of these data breaches, a number of legal actions has been set into motion against 23andMe.
Multiple lawsuits have been filed, primarily contending that the company’s response lacks transparency and that they have failed to provide adequate safeguards for their customers’ data.
Consequently, 23andMe faces an arduous journey ahead, navigating the waters of legal disputes and addressing the imperative need for robust password management.
In an age marked by increasingly sophisticated cyber threats, safeguarding sensitive data emerges as a paramount imperative for all users traversing the digital realm.