23andMe: Data Breach Was a Credential-Stuffing Attack

The DNA testing company believes that the attack has now been contained and is notifying impacted individuals.

23andMe logo on a sign
Source: MichelMond via Alamy Stock Photo

DNA testing company 23andMe has released further details surrounding an October data breach, where user profile information had been accessed and downloaded at the hands of a threat actor.

On Oct. 1, a threat actor made a post on the Dark Web claiming to possess profile information of 23andMe users; later, the perpetrators released 4 million more records they alleged to be stolen from the company. This led the company to launch an investigation alongside third-party experts. In light of the investigation, 23andMe now reports that the information that was accessed without authorization is a small percentage of user accounts (0.1%) -- still totaling 7 million people affected, however.

It also confirmed that the incident was a credential-stuffing attack in which usernames and passwords used for the 23andMe website were the same credentials used for other websites, from which they were stolen.

The compromised information varies from user to user but includes ancestry and health information. The threat actor also accessed user files related to 23andMe's DNA Relatives feature and proceeded to post this information online. 

23andMe now believes that the activity of the threat actor has been contained and is providing notice to impacted individuals. It also requires password changes from its users and implemented a two-step authentication login process for its website. 

Multiple class action claims have been filed against the company, and it expects to spend anywhere between $1 million to $2 million in expenses related to the breach in its third fiscal quarter. 

"The recent breach at 23andMe is a sobering reminder of the sensitivity of genetic data and the need for robust cybersecurity measures. The data accessed is not just a collection of email addresses or passwords but intimate details of an individual's genetic makeup — information that could have serious implications for privacy and could potentially be misused," Javvad Malik, lead security awareness advocate at KnowBe4, wrote in an emailed statement. "Credential stuffing is a known threat and relies on the reuse of passwords across multiple services, highlighting the importance of unique passwords and the use of multifactor authentication to protect accounts — but this incident also shows that the responsibility doesn't end with the end-user. Companies holding such sensitive data must constantly evaluate their security posture and educate users about the best security practices."

About the Author

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights