Let's discuss the 23andMe data leak -- what happened & what can we do about it?
*What happened in this data leak?*
Cyber criminals were able to find passwords that were involved in other breaches online and use a method called “credential stuffing” to attempt those previously breached and reused passwords on 23andMe to login as other users.
Unfortunately, most folks reuse their passwords across many sites and apps and when those passwords are stolen they can be used to gain access to your account anywhere else the password is used online.
The attackers took the passwords from other breaches, stuffed them into 23andMe and then used an opt-in feature called DNA Relatives to enumerate genetic data of similar groups.
23andMe doesn’t yet appear to be hacked itself, rather the formerly breached passwords reused by the 23andMe users allowed the attacker to gain access to user accounts by logging in as the user and stealing sensitive genetic data.
*What can organizations proactively do to prevent similar intrusions?*
Companies have options to help their users avoid account takeover.
First, haveibeenpwned.com allows for integrations with sites to warn users if their password is reused and findable online in a previous breach. This helps prevent users from reusing their passwords on a website. I highly recommend that companies use the haveibeenpwned integration to prevent password reuse on their own site — because remember, everyday folks don’t understand the difference between a credential stuffing attack that leads to account takeover and data leaks vs the site itself being hacked/breached with malware, etc. It’s in an org’s best interest to prevent password reuse on their site to avoid the negative impacts of data leaks no matter what (because a data leak will impact a brand regardless of the attack method in use).
Second, using a website without MFA on should feel like driving a car without your seatbelt on — obvious and with a clear next action. If your users don’t have MFA on, make it extremely clear and easy to turn MFA on. I thank Jen Easterly & Bob Lord for the seatbelt analogy.
*What can individuals do to limit their risk of account takeover on sites?*
1. Avoid password reuse. Use long, random, & unique passwords on each site, generated and stored by/in a password manager. Or use passkeys anywhere they’re offered to avoid passwords altogether.
2. Use the right MFA for your threat model/digital literacy on every site & tool you use. For many people, that’s at least app-based MFA. Even SMS 2FA is better than nothing for many credential stuffing focused attacks. FIDO solutions are a great match for many people — I personally enjoy using Yubico YubiKeys.
3. Sign up for haveibeenpwned.com to get alerts when your usernames, email addresses, or passwords turn up in a breach, then change those passwords immediately and ensure MFA is on those accounts.
Thanks npub1f6gf5hr5juvpu2067m7u2pfly4yrtz5z6hnsx838nza53wctkjqs08mr6z (npub1f6g…mr6z) npub1lt9k43thw2z4xamkhwl2x7d6388ver4jkfcxukgyxy4ljdz6w0tqa5f6eq (npub1lt9…f6eq) for discussing this with me today: https://techcrunch.com/2023/10/10/23andme-resets-user-passwords-after-genetic-data-posted-online/
racheltobac :verified: :donor: /
npub1c3…62pzz
2023-10-10 18:49:32
Author Public Key
npub1c3lsjtrc5sqsnq3wqmd8u623xfu55qmndcp68mrj8u39gpwjwulq662pzzSeen on
wss://relay.nostr.bandPublished at
2023-10-10 18:49:32Event JSON
{
"id": "9772a75c7a0d6ba7b78979acb0465378a8d4ea5f24ada245f77c54aa44edb20b",
"pubkey": "c47f092c78a40109822e06da7e695132794a03736e03a3ec723f225405d2773e",
"created_at": 1696963772,
"kind": 1,
"tags": [
[
"p",
"4e909a5c7497181e29faf6fdc5053f2548358a82d5e7031e2798bb48bb0bb481",
"wss://relay.mostr.pub"
],
[
"p",
"facb6ac5777285537776bbbea379ba89cecc8eb2b2706e5904312bf9345a73d6",
"wss://relay.mostr.pub"
],
[
"p",
"1c9767b4600360cd60c84284e189f5e5d1339eaaf69ee13fc17378d49c992191",
"wss://relay.mostr.pub"
],
[
"p",
"e7b4418a1e247c5e0d612bc23443b27f6ae9947cf2598eb06d3bd5ae7ded9283",
"wss://relay.mostr.pub"
],
[
"proxy",
"https://infosec.exchange/users/racheltobac/statuses/111212217807079676",
"activitypub"
]
],
"content": "Let's discuss the 23andMe data leak -- what happened \u0026 what can we do about it? \n\n*What happened in this data leak?*\nCyber criminals were able to find passwords that were involved in other breaches online and use a method called “credential stuffing” to attempt those previously breached and reused passwords on 23andMe to login as other users. \nUnfortunately, most folks reuse their passwords across many sites and apps and when those passwords are stolen they can be used to gain access to your account anywhere else the password is used online. \nThe attackers took the passwords from other breaches, stuffed them into 23andMe and then used an opt-in feature called DNA Relatives to enumerate genetic data of similar groups.\n23andMe doesn’t yet appear to be hacked itself, rather the formerly breached passwords reused by the 23andMe users allowed the attacker to gain access to user accounts by logging in as the user and stealing sensitive genetic data.\n\n*What can organizations proactively do to prevent similar intrusions?*\nCompanies have options to help their users avoid account takeover. \nFirst, haveibeenpwned.com allows for integrations with sites to warn users if their password is reused and findable online in a previous breach. This helps prevent users from reusing their passwords on a website. I highly recommend that companies use the haveibeenpwned integration to prevent password reuse on their own site — because remember, everyday folks don’t understand the difference between a credential stuffing attack that leads to account takeover and data leaks vs the site itself being hacked/breached with malware, etc. It’s in an org’s best interest to prevent password reuse on their site to avoid the negative impacts of data leaks no matter what (because a data leak will impact a brand regardless of the attack method in use). \n\nSecond, using a website without MFA on should feel like driving a car without your seatbelt on — obvious and with a clear next action. If your users don’t have MFA on, make it extremely clear and easy to turn MFA on. I thank Jen Easterly \u0026 Bob Lord for the seatbelt analogy.\n\n*What can individuals do to limit their risk of account takeover on sites?*\n1. Avoid password reuse. Use long, random, \u0026 unique passwords on each site, generated and stored by/in a password manager. Or use passkeys anywhere they’re offered to avoid passwords altogether.\n2. Use the right MFA for your threat model/digital literacy on every site \u0026 tool you use. For many people, that’s at least app-based MFA. Even SMS 2FA is better than nothing for many credential stuffing focused attacks. FIDO solutions are a great match for many people — I personally enjoy using Yubico YubiKeys.\n3. Sign up for haveibeenpwned.com to get alerts when your usernames, email addresses, or passwords turn up in a breach, then change those passwords immediately and ensure MFA is on those accounts.\n\nThanks nostr:npub1f6gf5hr5juvpu2067m7u2pfly4yrtz5z6hnsx838nza53wctkjqs08mr6z nostr:npub1lt9k43thw2z4xamkhwl2x7d6388ver4jkfcxukgyxy4ljdz6w0tqa5f6eq for discussing this with me today: https://techcrunch.com/2023/10/10/23andme-resets-user-passwords-after-genetic-data-posted-online/",
"sig": "32bd002e7dcb595bc75ef843bffeafe4306477fbbe8db2ab6d2937c593bf26ebdedaa016d2cd479e4e0148c115b86300337da62819bfd55a03621bd5c63eb835"
}