Table of Contents
The 23andMe data breach: millions of users' data stolen, years of residual reputational damages, and an almost 30% plummet in net profit margins are leading many to wonder, "Why did this breach happen, and what can other organizations learn from it?"
Let's dive right in:
An Overview of the 2023 23andMe Data Breach
This past Friday, 23andMe confirmed in a press release that threat actors had obtained a portion of user data, but did not outright call the incident a data breach. Representatives of the organization stated that the hackers in question had successfully accessed “certain accounts” of 23andMe users who used passwords that were not unique to the service. In this common technique, threat actors attempt to break into victims' accounts using passwords already made public in previous data breaches.
This announcement from 23andMe came two days after the hackers involved advertised an alleged sample of 23andMe user data on the hacking forum BreachForums; in this advertisement, they offered to sell individual profiles for anywhere between $1 - $10 USD. The sample, which has been viewed by cybersecurity news outlets such as TechCrunch, contained the alleged user data of over 1 million users of Jewish Ashkenazi descent.
This data was gathered from users who had opted into 23andMe's DNA Relatives feature, which, when signed into, permits users who select to switch on the feature to share their data with others automatically. While this does serve the in-website purpose of better connecting with those who may share common ancestry, in a hacker's hands this allows them to get into more than one victim’s data simply by breaking into the account of one person who opted into the DNA Relatives feature.
Most recently, 23andMe published an update on its website to state that they forced all users to change their passwords. They added that they are, “Encouraging the use of multi-factor authentication.”
What Type of Information Was Stolen in the 23andMe Data Breach?
The information illegally gathered from the 23andMe data breach incident includes, but is not limited to, genetic ancestry results, geographical location, full names, usernames, profile photos, sex, and date of birth.
With cybercriminals now trading DNA data, this is added to the list of other common breach targets:
Healthcare Data: By gaining access to health records, insurance info, or even prescription-related information, threat actors can conduct acts like faking insurance claims or selling personal information on the dark net for profit
Personal Information: Information like one's name, address, phone number, email, birthdate, or Social Security number all fall under the umbrella of personal information. This is one of the most common routes hackers take when looking to impersonate targets or leverage victims via ransomware
Financial Data: Via credit card numbers or bank account details (especially when paired with personal information), it's not uncommon for victims to become the targets of fraud
Corporate Information: Customer lists, employee records, and financial reports are all common breach targets when threat actors are looking to subject an organization to reputational damages
There are an estimated 800,000 cyberattacks per year in 2023–with that number predicted to continue to rise annually. Alongside the fact that healthcare and healthcare-adjacent organizations are the most likely to be targeted, it begs the question...
What Can We Learn From the 23andMe Data Breach?
Whether you are a user of 23andMe or are simply looking to protect your information online, our team of ethical hackers strongly advises you to take the following steps:
Read All Privacy Policies: It's recommended to read (not skim!) all privacy policies before agreeing. Organizations may share your data with third parties, such as researchers, law enforcement, or advertisers without your overt consent
Opt Out of Risky Optional Features: Auto-sharing features that may inadvertently expose your personal, healthcare, or financial data to other users or third parties should be opted out of to avoid a repeat of the 23andMe data breach
Enable Two-Factor Authentication (2FA): Two-factor authentication adds an extra layer of security by requiring a second form of verification (such as a text, phone, or email verification) in addition to your password being entered.
Create Strong Passwords: It's not enough to change your password regularly; utilizing strong, complex passwords that feature uppercase letters, lowercase numbers, special characters, and numbers is an effective way of minimizing your likelihood of being hacked
No organization is too large (or too small) to be impacted by a data breach. With millions of users' data now in the hands of threat actors, the 23andMe data breach serves as an important reminder that, when it comes to cybersecurity, proactive prevention is the effective way forward.
Contact our team today to learn why our 95% manual penetration testing methodology can save your organization from, as one of our most recent clients called it, a "company-killing asteroid."
Download our Free Buyer's Guide
Whether you are looking to complete Penetration Testing to manage risk, protect your data, comply with regulatory compliance standards or as a requirement for cyber insurance, selecting the right company is crucial. Download our buyer’s guide to learn everything you need to know to successfully plan, scope and execute your penetration testing projects.