23&Me, a California-based genetic testing company, experienced a major breach in early October 2023, of around 7 million customer records. Prior to the major breach, regulatory filing revealed that around 14,000 user accounts had been accessed by ‘threat actors’ and that hackers we’re also able to access ‘a significant number of files containing profile information about other users’ ancestry’. The following day, it was revealed that due to a vulnerability in the feature that allowed DNA-related relatives to contact each-other, the true number of compromised individuals was closer to half of the company’s entire user base or 6.9 million accounts.
Another group of people who opted into the DNA-relatives feature ‘had their family tree information accessed’. The breached information ranged from names and contact information, to ancestry and raw genotype data of individual users. Hackers began selling user information at between $1 and $10 per user account as well as highlighting that some of the ‘wealthiest people on the US and Europe’ were within the compromised databases.
Poor Cyber Hygiene
This breach occurred due to a credential stuffing attack, attackers simply used the password of a single user’s breached credentials to breach more accounts using the same or a similar password.
This breach could have been mitigated with the application of stricter password and 2FA policies. 23&Me enacted a policy requiring 2FA, temporarily disabled some potentially vulnerable features withing their customer-facing suite and mandated a password reset for all users. Enacting this stricter policy will prevent a further attack of this kind but stands as a stark reminder of how important cyber hygiene requirements are, especially within organizations that handle a lot of consumer data.
Further Mitigation Techniques
On top of the aforementioned policy enactments, enforcing ISO 27001 to mitigate further risk is outlined as the standard for credential stuffing and other data leak prevention.
- Access Control Policy (A.9.1) – Detecting, reporting assessing and responding to incidents. This includes user rights management, access control and user authentication provisions.
- Information Security Management Policy (A.16.1) – Appropriate procedures for detecting, reporting, assessing and responding to information security issues including roles and responsibilities, escalating procedures and steps for mitigating incident impact.
- Supplier Security Policy (A.15.1) – Clearly outlined governance of external suppliers and service providers to ensure the security of information assets. While this wasn’t the direct cause of the data leaks, it’s important to include as external entities with access to sensitive data can increase an organization’s attack surface.
- Data Protection and Privacy Policy (A.18.1) – Establishing an organization’s commitment to protecting the confidentiality, integrity and availability of personal data and ensuring transparency regarding data processing with concerned parties is an important and legally necessary step to ensure compliance.
- Monitoring and Review Policy (A.12.1) – Strong governance of an organizations security processes and info-sec controls, including regular security assessments, audits and reviews of policy helps catch any chinks in the armour before they’re found by malicious entities.
These are just a few policies that may be relevant in context to data breaches, and to credential stuffing in particular.