by Rachel Tobac, Social Proof Security
What happened in this data leak?
Cyber criminals were able to find passwords that were involved in other breaches online and use a method called “credential stuffing” to attempt those previously breached and reused passwords on 23andMe to login as other users.
Unfortunately, most folks reuse their passwords across many sites and apps and when those passwords are stolen they can be used to gain access to your account anywhere else the password is used online.
The attackers took the passwords from other breaches, stuffed them into 23andMe and then used an opt-in feature called DNA Relatives to enumerate genetic data of similar groups.
23andMe doesn’t yet appear to be hacked itself, rather the formerly breached passwords reused by the 23andMe users allowed the attacker to gain access to user accounts by logging in as the user and stealing sensitive genetic data.
What can organizations proactively do to prevent similar intrusions?
Organizations have options to help their users avoid account takeover. First, haveibeenpwned.com allows for integrations with sites to warn users if their password is reused and findable online in a previous breach. This helps prevent users from reusing their passwords on a website. I highly recommend that companies use the haveibeenpwned integration to prevent password reuse on their own site — because remember, everyday folks don’t understand the difference between a credential stuffing attack that leads to account takeover and data leaks vs the site itself being hacked/breached with malware, etc. It’s in an org’s best interest to prevent password reuse on their site to avoid the negative impacts of data leaks no matter what (because a data leak will impact a brand regardless of the attack method in use).
Second, using a website without MFA on should feel like driving a car without your seatbelt on — obvious and with a clear next action. If your users don’t have MFA on, make it extremely clear and easy to turn MFA on. I thank Jen EasterlyBob Lord for the seatbelt analogy.
What can individuals do to limit their risk of account takeover on sites?
- Avoid password reuse. Use long, random, & unique passwords on each site, generated and stored by/in a password manager. Or use passkeys anywhere they’re offered to avoid passwords altogether.
- Use the right MFA (Multi-Factor Authentication) for your threat model & digital literacy on every site & tool you use. For many people, that’s at least app-based MFA. Even SMS 2FA is better than nothing for many credential stuffing focused attacks. FIDO solutions are a great match for many people — I personally enjoy using Yubico YubiKeys.
- Sign up for haveibeenpwned.com to get alerts when your usernames, email addresses, or passwords turn up in a breach, then change those passwords immediately and ensure MFA is on those accounts.