23andMe Breach Case Study

December 20, 2023

Introduction

23andMe is one of the many companies that gather relevant information from the DNA of customers. This information includes ancestry information and DNA Relative Finder service as stated on their website [1]. From the saliva provided [2], 23andMe can find and match you with your potential relatives and build a potential family tree [1].

Hackers managed to access the accounts of 14,000 customers [3]. This, combined with the DNA Relatives and family tree features, allowed hackers to additionally access a subset of information on a different group of customers which, as stated by the report, is approximately 6.9 million [3].

It is a rare occurrence that technical systems operated by companies change. The reliability and security of these systems are key incentives for these companies. One of the best ways to prepare for future incidents is to evaluate and understand past cases. Since the technical systems operated by companies are very frictionless, this evaluation of past cases can be more effective than relying on instincts during an ongoing incident. It is hoped that the study done by this paper can build such insight in the reader.

Incident Timeline

• According to the post hackers put out in the cybercrime forum HydraMarket [4], hackers initially contacted 23andMe but were not taken seriously by the company. – Before 11 August 2023
• Hackers published that the data they had stolen was on sale in the cybercrime forum HydraMarket based on this report [4]. – 11 August 2023
• Hackers then published a post in another popular cybercrime forum BreachForums which once again stated that the data was up for sale with samples [5]. – 1 October 2023
• The news websites started reporting on the hack [6, 7]. – 5 October 2023
• 23andMe made a statement addressing the incident and stating that they had begun investigating the matter [3]. – 6 October 2023
• 23andMe updated their statement to mention that they were now collaborating with government officials on the matter and that they would now notify affected customers [3]. – 9 October 2023
• 23andMe updated the statement to mention that they had disabled some of the features within the DNA Relatives feature as a precaution while they were still investigating [3]. – 20 October 2023
• 23andMe began requiring all customers to use email-based 2-factor authentication as stated [3]. – 6 November 2023
• 23andMe completed their investigation as stated on the updated report [3]. – 1 December 2023

Technical Details

23andMe states in their report [3] that the hackers brute-forced usernames and passwords that had been previously acquired in other breaches of unrelated services. This led to hackers having access to roughly 14,000 customer accounts that used the same passwords and usernames after the past breaches [3]. In a now-deleted post in BreachForums, hackers responded to 23andMe's statement of the incident, in which they mentioned another past breach of a company with a similar business called MyHeritage [8]. From this, it can be speculated that hackers utilized this breach for their brute-force attempts.

Brute-forcing is a method where potential usernames and passwords are tested on the system until a match has been made. The methodology was very simple and required little skill. Hackers gathered a dataset of usernames and passwords from past breaches like MyHeritage and many others, then tested all of these on the 23andMe website.

Impact Assessment

Critical parts of the account information accessed via the DNA Relatives feature include your name, your location (optional), ancestor birth locations and family names (optional), and your birth year (optional) as stated in the DNA Relatives Privacy Settings [9]. These are the previously mentioned 6.9 million customers' information. The other 14,000 had their accounts directly accessed.

In a more business-oriented view, such a public attack and 23andMe's slow response [3] which mostly blamed the reason for the attack on customers that did not update their passwords potentially harmed the public trust of the company.

Incident Response

The details behind the initial contact between the company and the hackers are mostly unknown, but the best approach would have been informing the public as soon as this contact occurred. 23andMe waiting until the media picked up on the breach to write a statement is ineffective at best.

Especially the decision to make 2-factor authentication mandatory should have been applied much earlier, as the customer information at stake is very significant.

Lessons Learned

It is obvious that the DNA Relatives feature giving access to customer information easily was the main reason behind this attack. When implementing such risky features, the customer should be better informed about who they are giving access to their information and which information.

It is also clear that a business that uses information that is this significant should already have 2-factor authentication mandatory from the beginning.

Finally, the slow response can also be very harmful to the company. 23andMe should have a more thoroughly planned response that is issued as soon as the threat has been identified.

References

1. 23andMe. Ancestry Service Breakdown [Online]. Available: https://www.23andme.com/en-gb/dna-ancestry/
2. 23andMe. How It Works [Online]. Available: https://www.23andme.com/en-gb/howitworks/
3. 23andMe. (2023, Oct. 6). Addressing Data Security Concerns [Online]. Available: https://blog.23andme.com/articles/addressing-data-security-concerns
4. Z. Whittaker. and L. Franceschi-Bicchierai. (2023, Oct. 11). Hackers advertised 23andMe stolen data two months ago [Online]. Available: https://techcrunch.com/2023/10/10/hackers-advertised-23andme-stolen-data-two-months-ago/
5. L. Newman. (2023, Oct. 6) 23andMe User Data Stolen in Targeted Attack on Ashkenazi Jews [Online]. Available: https://www.wired.com/story/23andme-credential-stuffing-data-stolen/
6. M. Kan. (2023, Oct. 5). 23andMe Warns of Hacker Breaking Into User Accounts [Online]. Available: https://www.pcmag.com/news/23andme-warns-of-hacker-breaking-into-user-accounts
7. A. Vicens. (2023, Oct. 5). DNA testing service 23andMe investigating theft of user data [Online]. Available: https://cyberscoop.com/23andme-user-data-theft/
8. E. Naprys. (2023, Nov. 15). Millions more 23andMe users exposed online [Online]. Available: https://cybernews.com/news/millions-more-23andme-users-exposed-online/
9. 23andMe. DNA Relatives Privacy & Display Settings [Online]. Available: https://customercare.23andme.com/hc/en-us/articles/212170838