The 23andMe Data Breach Keeps Spiraling

[onomatopoeia]

The 23andMe Data Breach Keeps Spiraling

23andMe has provided more information about the scope and scale of its recent breach, but with these details come more unanswered questions.

www.wired.com

I copy/ pasted the text of the article below because the site has a paywall.

The 23andMe Data Breach Keeps Spiraling

23andMe has provided more information about the scope and scale of its recent breach, but with these details come more unanswered questions.

More details are emerging about a data breach the genetic testing company 23andMe first reported in October. But as the company shares more information, the situation is becoming even murkier and creating greater uncertainty for users attempting to understand the fallout.

23andMe said at the beginning of October that attackers had infiltrated some of its users' accounts and piggybacked off of this access to scrape personal data from a larger subset of users through the company's opt-in, social sharing service known as DNA Relatives. At the time, the company didn't indicate how many users had been impacted, but hackers had already begun selling data on criminal forums that seemed to be taken from at least a million 23andMe users, if not more. In a US Securities and Exchange Commission filing on Friday, the company said that “the threat actor was able to access a very small percentage (0.1 %) of user accounts,” or roughly 14,000 given the company's recent estimate that it has more than 14 million customers.

Fourteen thousand is a lot of people in itself, but the number didn't account for the users impacted by the attacker's data-scraping from DNA Relatives. The SEC filing simply noted that the incident also involved “a significant number of files containing profile information about other users’ ancestry.”

On Monday, 23andMe confirmed to TechCrunch that the attackers collected the personal data of about 5.5 million people who had opted in to DNA Relatives, as well as information from an additional 1.4 million DNA Relatives users who “had their Family Tree profile information accessed." 23andMe subsequently shared this expanded information with WIRED as well.

From the group of 5.5 million people, hackers stole display names, most recent login, relationship labels, predicted relationships, and percentage of DNA shared with DNA Relatives matches. In some cases, this group also had other data compromised, including ancestry reports and details about where on their chromosomes they and their relatives had matching DNA, self-reported locations, ancestor birth locations, family names, profile pictures, birth years, links to self-created family trees, and other profile information. The smaller (but still massive) subset of 1.4 million impacted DNA Relatives users all had data compromised from the aforementioned specific profile known as “Family Tree.” The stolen data included display names and relationship labels and, in some cases, birth years and self-reported location data.

Asked why this expanded information wasn't in the SEC filing, 23andMe spokesperson Katie Watson tells WIRED that “we are only elaborating on the information included in the SEC filing by providing more specific numbers.”

23andMe has maintained that attackers used a technique known as credential stuffing to compromise the 14,000 user accounts—finding instances where leaked login credentials from other services were reused on 23andMe. In the wake of the incident, the company forced all of its users to reset their passwords and began requiring
two-factor authentication for all customers. In the weeks after 23andMe initially disclosed its breach, other similar services. including Ancestry and MyHeritage, also began promoting or requiring two-factor authentication on their accounts.

In October and again this week, though, WIRED pressed 23andMe on its finding that the user account compromises were attributable solely to credential-stuffing attacks. The company has repeatedly declined to comment, but multiple users have noted that they are certain their 23andMe account usernames and passwords were unique and could not have been exposed somewhere else in another leak.

In at least one example, though, 23andMe eventually provided an explanation to the user. On Tuesday, US National Security Agency cybersecurity director Rob Joyce noted
on his personal X (formerly Twitter) account: “They disclose the credential stuffing attacks, but they don’t say how the accounts were targeted for stuffing. This was unique and not an account that could be scraped from the web or other sites.” Joyce wrote that he creates a unique email address for each company he uses to make an account. “That account is used NOWHERE else and it was unsuccessfully stuffed,” he wrote, adding: “Personal opinion: @23andMe hack was STILL worse than they are owning
with the new announcement.”

Hours after Joyce publicly raised these concerns (and WIRED asked 23andMe about his case), Joyce said that the company had contacted him to determine what had happened with his account. Joyce did use a unique email address for his 23andMe account, but the company partnered with MyHeritage in 2014 and 2015 to enhance the DNA Relatives “Family Tree” functionality, which Joyce says he subsequently used. Then, separately, MyHeritage suffered a data breach in 2018 in which Joyce's unique 23andMe email address was apparently exposed. He adds that because of using strong, unique passwords on both his MyHeritage and 23andMe accounts, neither was ever successfully compromised by attackers.

The anecdote underscores the stakes of user data sharing between companies and software features that promote social sharing when the information involved is deeply personal and relates directly to identity. It may be that the larger numbers of impacted users were not in the SEC report because 23andMe (like many companies that have
suffered security breaches) does not want to include /scraped/ data in the category of /breached/ data. These delineations, though, ultimately make it difficult for users to grasp the scale and impact of security incidents.

“I firmly believe that cyber-insecurity is fundamentally a policy problem,” says Brett Callow, a threat analyst at the security firm Emsisoft. “We need standardized and uniform disclosure and reporting laws, prescribed language for those disclosures and reports, regulation and licensing of negotiators. Far too much happens in the shadows or is
obfuscated by weasel words. It's counterproductive and helps only the cybercriminals.”

Meanwhile, apparent 23andMe user Kendra Fee flagged on Tuesday that 23andMe is notifying customers about changes to its terms of service related todispute resolutions and arbitration. The company says that the changes will “encourage a prompt resolution of any disputes” and “streamline arbitration proceedings where multiple similar claims are filed.” Users can opt out of the new terms by notifying the company that they decline within 30 days of receiving notice of the change.

 

[Indiana]

I warned friends about this type of thing but most think I’m too careful.

 

[escortsxxx]

This is horrible cubed

 

[SchlongConery]

I warned friends about this type of thing but most think I’m too careful.

What did you warn them about? 23&me or credential stuffing?

(FWIW, this security breach doesn't seem to be 23&me's fault per se. )

Credential stuffing hackers grabbed a bunch of loyalty points from me a few years ago. The sophisticated coverup was brilliant and I get reminded of it every day.


Here is what happened to me and how the scammers work and how it haunts me to this day.

1. I used the same password for most of my random online accounts that were not, to my mind, security critical in terms of losing money.

So my banking and paypal etc had different passwords.

My loyalty programs like Air Miles, Petrocan, my Pizza Pizza, car rentals accounts, TERB etc all used the same password.

It was a good password, long and multiple characters etc, unto itself which lulled me into a false sense of security. (I don't have my credit card stored on any site except Amazon. Ironically, it was to prevent the predatory vendors like fuckin' Bell who will make unauthourzed charges or increase your fees without realizing it)


2. Hilton HHonors got attacked and my, as well as millions of other Hilton clients, account details were stolen. name, address, email and password etc- but no credit cards.

3. This client list gets sold on the dark web to smaller hackers.

4. These hackers then take each client and use the user name/email and password (the 'credentials') from Hilton clients to try to log in to thousands of websites. In my case, it was Aeroplan, a Hilton 'partner'. Maybe it was the first place they went because my Aeroplan account number was linked to my Hilton account?

5. They cashed out 300,000 Aeroplan points into gift cards.

6. I only noticed this because my main email account got flooded with newsletters and promotions from legit companies that I didn't even know, least of all signed up for. Karens Kandles from Perth Australia?!?! lol. And my Spam/Junk folder suddenly got hundreds of emails too.

7. So I started sifting through them, wondering what the connection was.

8. Then I saw one from Aeroplan in my junk folder. So I opened it to move it into my main Inbox so future Aeroplan emails didn't get relegated to Spam. When I opened it, it said that I had redeemed 50,000 points or something. Well, of course I knew that I didn't so I went to login to Aeroplan and lo and behold, my password had been changed and I couldn't get in. Luckily, they weren't sophisticated enough to change the email address or otherwise prevent me from using the 'Forgot Password' function. When I logged back in, I saw the transactions and immediately called Aeroplan. They immediately restored my points balance so that was good. First fucking time Air Canada did something right the first time I asked! lol

9. The genius in this scam is the flooding my Inbox with spam in the hopes it would bury the Aeroplan notifications so I wouldn't notice the transactions. When I went through the various messages in my email account, I noticed Log In notifications from some of my other online accounts. So they were indeed trying other websites.

10. The hackers/scammers sign you up for marketing emails through various e-commerce client marketing/business development websites that sell companies mailing lists or otherwise manage their email mailing lists. All script based actions so your email gets posted on tons of mailing lists from legit companies.

Ironically, I was using two Password Managers, Apple and LastPass and all those duplicate passwords were stored there. Stupidly, I ignored both the Password Manager's recommended random password suggestions AND warnings that I was re-using a password!

Conveniently, Apple's Keychain took me through each site to change passwords. I recall LastPass offering the same but I used the Apple Keychain.

(Good reminder for me to kill my LastPass account as I no longer use it due to their own data breach last year, and because Apple's Keychain is secure and just works.)


In closing, I ended up:

1. Changing all my passwords to random generated, extra long passwords,

2. De-registered from lots of sites I no longer use or use infrequently so as to reduce my general exposure to any of them getting hacked or even if the business gets sold and my data gets sold along with it.

3. Using Two Factor Authentication (aka 2FA) on every account that supports it. I used to just use my cell number to receive a text but even that is now possible for hackers to spoof somehow. So I went to Google's authenticator app. Now I have moved to using a YubiKey. I only need to use it on devices that have not already been authenticated once on that machine.

4. I clear my Junk folders every day to ensure that I can scan them for any mail from some account I might have that might indicate another hacking attempt. I will sometimes take the time to unsubscribe from certain legit business' that I feel are also victims of this scheme but unsubscribing can also verify your email as legit and increase your spam. Even opening these emails or clicking the link can infect your computer. I also therefore have disabled my email program from automatically opening any files, graphics, attachments etc in an email.

I am not worth hacking in terms of fame nor money so it's not like they targeted me. But it was a real inconvenience and I could have lost a few thousand bucks worth of Aeroplan miles that I save for longer personal trips that I want to fly in Business Class. In other words, everybody should consider themselves a legit target.

5. Finally, I took advantage of Hilton's offer of a free signup for a year of Credit Bureau monitoring/protection and put an alert on my credit bureau account to preclude unauthorized inquiries etc. Lots of companies who get hacked will offer to pay for (third party) credit monitoring for those affected.


My last suggestion is to go to https://haveibeenpwned.com/ and check your own email addresses to see if your data has been compromised, and if so where/how. Then see if any of those breaches resulted in the company offering credit monitoring/protection and/or any other compensation or whatever.

A friend of mine recently almost got scammed in a Sim Swap scheme where the scammer takes over your phone number and then uses that to break into your online accounts using the Text Message 2FA and go from there. INCLUDING your bank account!!!

I know of two other people who got their lives upended by their email account being hacked. Both were very simple, normal people who had no idea where to even start to try to recover from the complications of identity theft etc. So much easier to be careful than to repair being lazy.


It's a jungle out there fellas, put on your 2FA condom and think security!