23andMe Investigating Apparent Credential Stuffing HackHackers Claim to Have 20 Million Pieces of Code; Ancestry Data Leaked on Dark Web
Genetics testing firm 23andMe is investigating a data leak of ancestry DNA information for certain customers whose usernames and passwords were previously hacked on other websites.
The affected data includes information scraped off the profiles of 23andMe users who opted in to using the company's DNA Relatives feature, which connects 23andMe users with genetic distant relatives - or other 23andMe users who share bits of DNA.
Threat actors claimed last week on the dark web to have stolen "20 million pieces of code" from 23andMe. According to media reports, the leaked data that was put up for sale pertains to 23andMe users with certain DNA ancestry backgrounds, including 1 million lines of code about people with Ashkenazi Jewish DNA ancestry, according to Bleeping Computer.
The San Francisco-based testing firm confirmed in a statement Friday that it "recently" learned that certain profile information about individuals who had opted into the company’s DNA Relatives feature was "compiled" by threat actors from the users' 23andMe accounts without their authorization.
"After learning of suspicious activity, we immediately began an investigation," 23andMe said. "We believe threat actors were able to access certain accounts in instances where users recycled login credentials - that is, usernames and passwords that were used on 23andMe.com were the same as those used on other websites that have been previously hacked," the company said.
"We do not have any indication at this time that there has been a data security incident within our systems - or that 23andMe was the source of the account credentials used in these attacks," the company said.
23andMe added that it "actively and routinely" monitors and audits its systems to ensure that consumer data is protected. "When we receive information through those processes or from other sources claiming customer data has been accessed by unauthorized individuals, we immediately investigate to validate whether this information is accurate."
A 23andMe spokesperson declined Information Security Media Group's request for additional details about the incident. "This is an active investigation, and we are in communication with law enforcement regarding this matter," the spokesperson said.
The company in its public statement said that since 2019 it has offered and encouraged its customers to use multifactor authentication, "which provides an extra layer of security and can prevent bad actors from accessing an account through recycled passwords."
The genetic testing firm in its notice about the security incident is advising users to make their passwords stronger and to enable multifactor authentication.
Breach Reporting Considerations
23andMe, which offers genetic testing for health condition predispositions, traits and ancestry tracing through saliva samples provided directly by its consumers, is not considered a HIPAA-covered entity or business associate.
So, while the 23andMe security incident involving the DNA information would not be considered a HIPAA breach, other regulatory requirements would likely apply, some experts said.
"The state attorneys general enforce the applicable state requirements, each for the particular residents of their specific state, and the Federal Trade Commission enforces with regard to deceptive trade practices, which arguably includes not complying with stated entity practices to which individuals agree regarding data privacy and security," she said.
Still, various organizations take different positions regarding whether credential stuffing attacks are reportable breaches, said privacy attorney Adam Greene of the law firm Davis Wright Tremaine.
"Some view that there is no reportable breach of security since valid credentials were used to access the system. Others interpret that an unauthorized access to personal information is a reportable breach, even if the fault is primarily with the consumer for reusing compromised credentials," he said.
As for how entities can prevent falling victim to credential stuffing and similar compromises, "multifactor authentication is an industry best practice for many reasons but is also not required by law for many reasons," Peters said. "So, ultimately, the use of MFA - or not - is a risk-based approach that all entities should document at the very least."
Greene said that organizations should also consider other steps to avoid credential stuffing and similar attacks. They includes using CAPTCHA at login, watching for patterns of large numbers of failed logins from the same IP address and blocking that IP address, or checking password hashes against sites that track and report on compromised passwords.