Incident Name: 23andMe October 2023 Credential Stuffing Attack
Date of Incident: October 2nd, 2023
23andMe is a biotechnology company based in California. They provide genetic testing to customers, offering details on their ancestors and genetic health data. On October 2, 2023, records claiming to be breached from 23andMe appeared on a popular breach forum. A sample of data was made available, and a few days later, more 23andMe profile data was offered for sale in bulk. The data includes names, dates of birth, genetic ancestry results, and geographical locations.
On October 6th, 2023, 23andMe publicly acknowledged the breach and released details in a blog post. They stated that they were investigating the breach and asking customers to reset their passwords while encouraging the use of MFA on their accounts. They believe customer accounts were breached by threat actors who used compromised login credentials from other services in a credential stuffing attack. They are advising customers to ensure they use unique passwords for all their accounts to prevent password reuse.
Key Social Engineering/OSINT Themes:
- Recon – Harvesting emails and password data from previous breaches. The threat actor leveraged exposed employee information to conduct a social engineering attack.
- Credential Stuffing – Using breached login credentials, the threat actor was able to access a number of accounts where customers reused passwords, and MFA was not enabled.
Picnic’s Recommended Remediations:
For detailed remediations, see the HASP Framework.
High Risk Employees
- HASP Framework 1.1 — Identify high-value employee targets
- HASP Framework 1.3 — Conduct social engineering risk assessments for high-value employee targets
- HASP Framework 1.5 — Establish and implement procedures for high-value employee targets
- HASP Framework 1.7 — Increase detection and monitoring for high-value employee targets
Exposed Employee PII
- HASP Framework 2.1 — Identify exposed employee PII
- HASP Framework 2.2 — Reduce exposed employee PII
- HASP Framework 3.1 — Identify exposed work credentials
- HASP Framework 3.2 — Identify exposed personal credentials
- HASP Framework 3.4 — Empower employees to mitigate risk through credential management
- HASP Framework 3.5 — Reset passwords of currently-set exposed credentials
- HASP Framework 3.6 — Block work, personal, and service exposed credentials from reuse
- HASP Framework 3.8 — Monitor for account takeover (including real time alerts on exposed credentials)
Related Industry Hacks: MediBank, Henry Ford Health, MCNA Dental, McLaren Health Care
Breach Notice/Company Notice: