23andMe admits major cyberattack went undetected for months

23andMe admits hackers stole raw genotype data following a brute-force attack that went unnoticed for months.

What happened?

23andMe experienced a cyberattack from April to September 2023, during which hackers targeted customer accounts through brute-force attacks. After breaching 14,000 accounts, the hackers leaked the genetic data of millions of users on the dark web. The company only became aware of the attacks in October, when the stolen data was being promoted on an unofficial subreddit and a popular underground forum. 

23andMe attributed the security lapse to customers who allegedly negligently recycled and failed to update their passwords. Although only 14,000 accounts were hacked, the hackers could access the personal data of 6.9 million customers using the DNA Relatives feature. In response, victims have filed class action lawsuits against 23andMe, despite the company attempting to change its terms of service to prevent such legal action.

See also: Electrostim data breach impacts nearly 1 million

The backstory 

In December 2023, 23andMe, submitted a filing with the U.S. Securities and Exchange Commission (SEC) detailing the data breach in October 2023. The breach affected approximately 0.1% of the company's customer base, roughly 14,000 individuals. The attackers accessed files containing profile information about other users' ancestry, which users could share via the "DNA Relatives" feature. 

At this point, the number of affected files and users was unclear; however, the threat actor had attempted to sell the data pieces on the dark web. 23andMe confirmed the authenticity of the stolen data, attributing the breach to credential stuffing, where hackers use numerous username/password combinations. According to Bleeping Computer and The Record, the leaked dark web information comprised a million lines of data for Ashkenazi people, affecting more than 300,000 users of Chinese descent.

What was said

According to techradarpro, 23andMe says “it didn't realize customers were being hacked.” The company sent a notification letter to California's attorney general stating that accounts belonging to users of the genetic testing firm were being hacked from around April 2023 to September 2023. In another letter sent to the victims, 23andMe blamed the customers, as they "negligently recycled and failed to update their passwords following past security incidents unrelated to 23andMe."

See also: HIPAA Compliant Email: The Definitive Guide

In the know

A brute-force attack is a hacking method in which an attacker systematically attempts all possible combinations of passwords or encryption keys until the correct one is found. The attacker uses automated tools to rapidly and repetitively try different combinations, often starting with the simplest or most commonly used passwords. 

A brute force attack can be resource-intensive and time-consuming, especially if the passwords or keys are long and complex. However, it can be effective if the attacker has enough time, computing power, and persistence.

Go deeper: 

• What is a brute force attack? 
• Cyberattacks on the healthcare sector

Why it matters 

The 23andMe data breach compromises millions of personal and sensitive genetic data worldwide. The severity of the breach is worsened by the prolonged and undetected unauthorized access, the personal nature of the genetic information exposed, and the company's user-blame shifting. The aftermath of the breach will undoubtedly be felt throughout the cybersecurity industry, acting as a major warning to other organizations to secure credential practices, safeguard sensitive genetic data, and monitor the dark web. 

Related: Healthcare and cybersecurity

FAQs

What is a data breach?

A data breach is a security incident where unauthorized individuals gain access to sensitive or confidential information stored by an organization. Data breaches can result in the theft, exposure, or compromise of personal or corporate data.

What are the consequences of a HIPAA breach?

A HIPAA breach can result in severe consequences, including financial penalties, legal action, and reputational damage for healthcare entities.

Go deeper: What are the penalties for HIPAA violations?

What actions must be taken after a HIPAA breach has occurred?

Following a breach, organizations should isolate systems, conduct thorough investigations, and notify affected individuals. 

Go deeper: How to respond to a data breach