Personal information represents a goldmine of opportunity for threat actors. We have grown accustomed to hearing about compromised Social Security and credit card numbers, but genetic information is also vulnerable to breaches and leaks. Hackers have stolen data from 23andMe and compiled a list of 999,999 people they claim have Ashkenazi Jewish heritage and have used the DNA genetic testing service, NBC News reports.
How did hackers access this information, and what does this kind of attack mean for companies and consumers?
A Credential Stuffing Attack
On Oct. 6, 23andMe released a blog addressing data security concerns. “While we are continuing to investigate this matter, we believe threat actors were able to access certain accounts in instances where users recycled login credentials,” according to the blog.
Hackers executed a credential-stuffing attack against the company: using credentials stolen from another site to gain unauthorized access to individual 23andMe accounts. “Most people recycle passwords across different platforms,” Boyd Clewis, cofounder of Baxter Clewis Training Academy, a cybersecurity professional training company, tells InformationWeek.
Attacks like this have happened before. In January, a credential-stuffing attack impacted approximately 35,000 PayPal users. To execute this type of attack, threat actors may access recycled passwords via another attack, or they may purchase compromised usernames and passwords on the dark web.
Users can opt into 23andMe’s DNA Relatives feature, which allows you to find and connect with other users who are opted into that feature. A single user could see thousands of genetic matches; hackers likely scraped the list of people with Ashkenazi heritage by accessing accounts that use that feature, according to NBC News.
Leaked Genetic Information
The hackers followed the leaked list of people with Ashkenazi heritage with an offer to sell more 23andMe data, BleepingComputer reports. In addition to the genetic ancestry information, the list includes first and last names and sex, according to NBC News.
Thus far, the motivations for the initial, targeted data leak are unclear. “Were they going to use this to monetize? Were they going to use this to blackmail? Were they going to use this to build credibility? Nobody knows for sure,” says Dimitri Sirota, CEO of privacy management platform BigID.
Sirota also raises the issue of inflamed politics and hate crimes. Leaking a list of people with Ashkenazi Jewish ancestry suggests antisemitism as a potential motivation.
The compromised information could be used in service of identity theft, but the implications of the leaked genetic information are not as readily apparent. “In terms of the actual genetic information, I know specifically this can be used to target people and potential relatives,” says Clewis. “[These are] uncharted waters right now.”
Lessons for Companies and Consumers
23andMe is already facing a class action lawsuit that alleges negligence, breach of implied contract and invasion of privacy. The lawsuit argues that the company attempts to blame the threat actors without giving users adequate knowledge of how the breach occurred and if threat has been contained.
In its blog post, 23andMe recommends users ensure that they have strong passwords and enable multifactor authentication (MFA) on their accounts.
What can other companies safeguarding private personal information learn from this attack? Sirota emphasizes the importance of protecting privileged credentials, which can give threat actors access to entire systems and databases when compromised.
“The unfortunate reality is sometimes these privileged credentials live in many places in the enterprise outside of that lockbox or vault,” he says. “And so, I think a continuous monitoring of the environment, making sure that these credentials are not just floating around and easy to steal … it’s important.”
Once their data has been compromised, consumers are faced with the prospect of monitoring for signs of identity theft. But they can also think about how to protect their personal information going forward. Clewis stresses the importance of password management. “If you know the password off the top of your head, chances are it’s overused,” he says. Recycling passwords can make it easier for threat actors to leverage those credentials to access multiple accounts.
“We’re at a place in society where one password compromise could literally send someone into financial ruin,” says Clewis.
Consumers can also consider who they allow to have access to their personal data. “It’s important to read the terms and conditions to understand what you’re getting yourself into,” says Clewis. Is a company that has access to your data sharing it with any third parties? Do they keep your data if you delete your account?
For Sirota, a major takeaway from this attack is that all personal information is at risk. “People aren’t just after credit cards and social security numbers. They’re now after membership information and groups, whether that’s ethnicity, political affiliation: all of that has some value,” he says.