23andMe, the popular DNA testing company, has launched an investigation after client information was listed for sale on a cybercrime forum in early October this year.
The sales post was published on the forum with a link to a sample of allegedly "20 million pieces of data" from the genetic testing company, claiming that it was "the most valuable data you'll ever see." The first leak included one million lines of data, but later the threat actor began offering bulk data profiles ranging from $1 to $10 per account in batches of 100, 1,000, 10,000, and 100,000 profiles. The information leaked in the breach includes names, usernames, profile photos, gender, birthdays, geographical location, and genetic ancestry results.
23andMe, a U.S. biotechnology and genomics firm offering genetic testing services to customers who send a saliva sample to its labs and in return get back an ancestry and genetic predispositions report, has confirmed that the data is legitimate and stated that "the threat actors used exposed credentials from other breaches to access 23andMe accounts and steal the sensitive data," meaning that recycled login credentials accessed from other cyber incidents were used to gain access to accounts with the DNA company.
The scope of the breach remains unclear, and it is unknown whether the threat actors have been in contact with 23andMe directly. "23andMe Cyberbreach Exposes DNA Data, Potential Family Ties" darkreading.com (Oct. 06, 2023)
The reporting of this incident suggests that the servers used by 23andMe were not compromised, but the information was accessed through the front door, so to speak. Cyberthieves used stolen passwords taken from other breaches and, because many users continue to use the same passwords for multiple accounts, the cyberthieves simply used the stolen logins to access the DNA data stored on 23andMe's network.
The U.S. Federal Communications Commission (FCC) warns against reusing passwords for different accounts. The FCC suggests the following best practices.
Never use the same password for multiple accounts, especially for the most sensitive ones, such as bank accounts, credit cards, legal or tax records, and files containing medical information. Otherwise, someone with access to one of your accounts may end up with access to many others.
Never use passwords that can be easily guessed, such as common words and birthdays of family members. Instead, use a combination of letters, numbers, and symbols. The longer and stronger the password, the safer your information.
Yet, despite the FCC's common sense and easy-to-do best practice, surveys released in 2023 show that around 65 percent of individuals reuse passwords across multiple accounts and almost 13 percent of people use a single password for every account. Over four million individuals worldwide keep "Password" as their password.
Moreover, around 81 percent of company data breaches are caused by poor passwords. The average employee reuses a single password as many as thirteen times. Forty-nine percent of employees change or add a character to their password when updating their company password.
The 23andMe incident illustrates the importance of never using the same password for more than a single account. An organization seeking to strengthen its defenses could significantly reduce its risk of becoming the victim of a successful cyberattack by requiring long, strong, and hard-to-guess passwords to access its network and requiring those passwords to be changed regularly.