API security breaches
23andMe Data Breach: Brute Force Attack Details and Prevention
In early October 2023, the genomics and biotechnology company 23andMe faced a substantial data breach. Read on to see the attack details and prevention.
Medusa
Nov 8, 2023
5 mins
Introduction
In early October 2023, 23andMe, a leading company that provides personal genetic testing services, faced a substantial data breach. It confirmed that user data from their platform was found on hacker forums. The company confirmed a credential-stuffing attack as the cause of this data breach, marking a significant concern for both the company and its users.
What happened?
A cybercriminal, known as Golem, claimed to have leaked data records of approximately four million 23andMe users on a notorious cybercrime forum, BreachForums. This data purportedly included sensitive information such as genetic data and personal identifiers. The breach was a result of a credential stuffing attack, where previously leaked login credentials were used to gain unauthorized access.
Scope and Impact
The scope of this data breach was initially limited, with the attacker leaking 1 million lines of Ashkenazi people's data. However, the scope expanded when the attacker proposed selling large amounts of data profiles, pricing between $1 and $10 per 23andMe account, depending on the quantity purchased. The data exposed included sensitive user information such as full names, usernames, profile photos, sex, date of birth, geographical locations, and genetic ancestry results.
Upon discovering the breach, a spokesperson from 23andMe confirmed the authenticity of the data found on hacker forums. The company has been open about the nature of the attack, that the attackers utilized credentials exposed in other data breaches to infiltrate 23andMe accounts and pilfer sensitive data.
Genetic data on sales in hacker forums
What is a credential-stuffing attack?
In a credential-stuffing attack, attackers utilize stolen account credentials, such as usernames and passwords, that have been obtained from other data breaches. These ill-gotten credentials are then used in large-scale automated login attempts against a targeted web application, in this case, the 23andMe platform. The objective of such an attack is to gain unauthorized access to user accounts, often leading to misuse of sensitive personal information.
Some similar breaches
The Method of Attack: Brute Forcing and the Absence of Rate Limiting
The breach was facilitated through a method known as brute forcing, which involves systematically trying all possible combinations of usernames and passwords until the correct one is found. This was possible because of the absence of rate limiting, a security measure that restricts the number of login attempts within a certain timeframe. It seems 23andMe didn’t have proper rate limiting in place on login API because of which the attackers were able to continuously attempt logging in without any hindrance, thereby making the attack feasible.
Introduction
In early October 2023, 23andMe, a leading company that provides personal genetic testing services, faced a substantial data breach. It confirmed that user data from their platform was found on hacker forums. The company confirmed a credential-stuffing attack as the cause of this data breach, marking a significant concern for both the company and its users.
What happened?
A cybercriminal, known as Golem, claimed to have leaked data records of approximately four million 23andMe users on a notorious cybercrime forum, BreachForums. This data purportedly included sensitive information such as genetic data and personal identifiers. The breach was a result of a credential stuffing attack, where previously leaked login credentials were used to gain unauthorized access.
Scope and Impact
The scope of this data breach was initially limited, with the attacker leaking 1 million lines of Ashkenazi people's data. However, the scope expanded when the attacker proposed selling large amounts of data profiles, pricing between $1 and $10 per 23andMe account, depending on the quantity purchased. The data exposed included sensitive user information such as full names, usernames, profile photos, sex, date of birth, geographical locations, and genetic ancestry results.
Upon discovering the breach, a spokesperson from 23andMe confirmed the authenticity of the data found on hacker forums. The company has been open about the nature of the attack, that the attackers utilized credentials exposed in other data breaches to infiltrate 23andMe accounts and pilfer sensitive data.
Genetic data on sales in hacker forums
What is a credential-stuffing attack?
In a credential-stuffing attack, attackers utilize stolen account credentials, such as usernames and passwords, that have been obtained from other data breaches. These ill-gotten credentials are then used in large-scale automated login attempts against a targeted web application, in this case, the 23andMe platform. The objective of such an attack is to gain unauthorized access to user accounts, often leading to misuse of sensitive personal information.
Some similar breaches
The Method of Attack: Brute Forcing and the Absence of Rate Limiting
The breach was facilitated through a method known as brute forcing, which involves systematically trying all possible combinations of usernames and passwords until the correct one is found. This was possible because of the absence of rate limiting, a security measure that restricts the number of login attempts within a certain timeframe. It seems 23andMe didn’t have proper rate limiting in place on login API because of which the attackers were able to continuously attempt logging in without any hindrance, thereby making the attack feasible.
Introduction
In early October 2023, 23andMe, a leading company that provides personal genetic testing services, faced a substantial data breach. It confirmed that user data from their platform was found on hacker forums. The company confirmed a credential-stuffing attack as the cause of this data breach, marking a significant concern for both the company and its users.
What happened?
A cybercriminal, known as Golem, claimed to have leaked data records of approximately four million 23andMe users on a notorious cybercrime forum, BreachForums. This data purportedly included sensitive information such as genetic data and personal identifiers. The breach was a result of a credential stuffing attack, where previously leaked login credentials were used to gain unauthorized access.
Scope and Impact
The scope of this data breach was initially limited, with the attacker leaking 1 million lines of Ashkenazi people's data. However, the scope expanded when the attacker proposed selling large amounts of data profiles, pricing between $1 and $10 per 23andMe account, depending on the quantity purchased. The data exposed included sensitive user information such as full names, usernames, profile photos, sex, date of birth, geographical locations, and genetic ancestry results.
Upon discovering the breach, a spokesperson from 23andMe confirmed the authenticity of the data found on hacker forums. The company has been open about the nature of the attack, that the attackers utilized credentials exposed in other data breaches to infiltrate 23andMe accounts and pilfer sensitive data.
Genetic data on sales in hacker forums
What is a credential-stuffing attack?
In a credential-stuffing attack, attackers utilize stolen account credentials, such as usernames and passwords, that have been obtained from other data breaches. These ill-gotten credentials are then used in large-scale automated login attempts against a targeted web application, in this case, the 23andMe platform. The objective of such an attack is to gain unauthorized access to user accounts, often leading to misuse of sensitive personal information.
Some similar breaches
The Method of Attack: Brute Forcing and the Absence of Rate Limiting
The breach was facilitated through a method known as brute forcing, which involves systematically trying all possible combinations of usernames and passwords until the correct one is found. This was possible because of the absence of rate limiting, a security measure that restricts the number of login attempts within a certain timeframe. It seems 23andMe didn’t have proper rate limiting in place on login API because of which the attackers were able to continuously attempt logging in without any hindrance, thereby making the attack feasible.
Monthly product updates in your inbox. No spam.
What is Rate Limiting on an API?
Rate limiting is a security measure that limits the number of login attempts within a specified timeframe. It is part of the OWASP API Top 10 vulnerabilities. If rate limiting is not properly implemented or absent, it can lead to a vulnerability where an attacker can continuously attempt to log in without any restriction. This makes brute force attacks, where an attacker systematically tries all possible combinations of usernames and passwords, feasible. This lack of rate limiting was one of the key factors that facilitated the 23andMe data breach.
Security Measures Implemented by 23andMe post attack
23andMe has added two-factor authentication as an extra layer of security and strongly urges all users to activate this feature. Two-factor authentication (2FA) is a security measure that requires a user to provide two different types of information to access an account. Typically, this involves something the user knows, like a password, and something the user has, like a mobile device that can receive a verification code. This method significantly enhances the security of an account as even if a hacker obtains the user's password, they would still need the second factor (like the mobile device) to gain access to the account.
Key Measures to such Prevent Breaches in Organizations
Continuous Security testing: Continuously test your APIs for vulnerabilities before deploying in production. To find and mitigate vulnerabilities such as rate limiting, use API Security platforms such as Akto.
Implement Rate Limiting: As a developer, restrict the number of login attempts within a certain timeframe to prevent brute-force attacks.
Use Two-Factor Authentication: Implement two-factor authentication for an extra layer of security. This ensures that even if a hacker obtains a user's password, they would still need the second factor to access the account.
Encrypt Data: Encrypt sensitive user data both at rest and in transit to protect the data, making it unreadable without the encryption key, even if a breach occurs.
How Can Users Protect Themselves?
Create Strong Passwords: Include a mix of uppercase and lowercase letters, numbers, and symbols in your password. Make it difficult for others to guess, and avoid using obvious information like your name, birthday, or common words.
Avoid Reusing Passwords: Use a unique password for each online account to prevent the compromise of multiple accounts if one gets hacked.
Use a Password Manager: Choose a reputable password manager to help remember multiple strong, unique passwords. It can generate and store secure passwords for all your online accounts.
Change Passwords Regularly: Even if your passwords are strong, change them regularly. Frequent updates make it harder for hackers to access your accounts unauthorized.
Conclusion
This data breach's implications reach beyond the immediate effects on 23andMe and its users. It serves as a stark reminder of the escalating threat of cyber-attacks and the importance of robust security measures for protecting sensitive personal data.
What is Rate Limiting on an API?
Rate limiting is a security measure that limits the number of login attempts within a specified timeframe. It is part of the OWASP API Top 10 vulnerabilities. If rate limiting is not properly implemented or absent, it can lead to a vulnerability where an attacker can continuously attempt to log in without any restriction. This makes brute force attacks, where an attacker systematically tries all possible combinations of usernames and passwords, feasible. This lack of rate limiting was one of the key factors that facilitated the 23andMe data breach.
Security Measures Implemented by 23andMe post attack
23andMe has added two-factor authentication as an extra layer of security and strongly urges all users to activate this feature. Two-factor authentication (2FA) is a security measure that requires a user to provide two different types of information to access an account. Typically, this involves something the user knows, like a password, and something the user has, like a mobile device that can receive a verification code. This method significantly enhances the security of an account as even if a hacker obtains the user's password, they would still need the second factor (like the mobile device) to gain access to the account.
Key Measures to such Prevent Breaches in Organizations
Continuous Security testing: Continuously test your APIs for vulnerabilities before deploying in production. To find and mitigate vulnerabilities such as rate limiting, use API Security platforms such as Akto.
Implement Rate Limiting: As a developer, restrict the number of login attempts within a certain timeframe to prevent brute-force attacks.
Use Two-Factor Authentication: Implement two-factor authentication for an extra layer of security. This ensures that even if a hacker obtains a user's password, they would still need the second factor to access the account.
Encrypt Data: Encrypt sensitive user data both at rest and in transit to protect the data, making it unreadable without the encryption key, even if a breach occurs.
How Can Users Protect Themselves?
Create Strong Passwords: Include a mix of uppercase and lowercase letters, numbers, and symbols in your password. Make it difficult for others to guess, and avoid using obvious information like your name, birthday, or common words.
Avoid Reusing Passwords: Use a unique password for each online account to prevent the compromise of multiple accounts if one gets hacked.
Use a Password Manager: Choose a reputable password manager to help remember multiple strong, unique passwords. It can generate and store secure passwords for all your online accounts.
Change Passwords Regularly: Even if your passwords are strong, change them regularly. Frequent updates make it harder for hackers to access your accounts unauthorized.
Conclusion
This data breach's implications reach beyond the immediate effects on 23andMe and its users. It serves as a stark reminder of the escalating threat of cyber-attacks and the importance of robust security measures for protecting sensitive personal data.
What is Rate Limiting on an API?
Rate limiting is a security measure that limits the number of login attempts within a specified timeframe. It is part of the OWASP API Top 10 vulnerabilities. If rate limiting is not properly implemented or absent, it can lead to a vulnerability where an attacker can continuously attempt to log in without any restriction. This makes brute force attacks, where an attacker systematically tries all possible combinations of usernames and passwords, feasible. This lack of rate limiting was one of the key factors that facilitated the 23andMe data breach.
Security Measures Implemented by 23andMe post attack
23andMe has added two-factor authentication as an extra layer of security and strongly urges all users to activate this feature. Two-factor authentication (2FA) is a security measure that requires a user to provide two different types of information to access an account. Typically, this involves something the user knows, like a password, and something the user has, like a mobile device that can receive a verification code. This method significantly enhances the security of an account as even if a hacker obtains the user's password, they would still need the second factor (like the mobile device) to gain access to the account.
Key Measures to such Prevent Breaches in Organizations
Continuous Security testing: Continuously test your APIs for vulnerabilities before deploying in production. To find and mitigate vulnerabilities such as rate limiting, use API Security platforms such as Akto.
Implement Rate Limiting: As a developer, restrict the number of login attempts within a certain timeframe to prevent brute-force attacks.
Use Two-Factor Authentication: Implement two-factor authentication for an extra layer of security. This ensures that even if a hacker obtains a user's password, they would still need the second factor to access the account.
Encrypt Data: Encrypt sensitive user data both at rest and in transit to protect the data, making it unreadable without the encryption key, even if a breach occurs.
How Can Users Protect Themselves?
Create Strong Passwords: Include a mix of uppercase and lowercase letters, numbers, and symbols in your password. Make it difficult for others to guess, and avoid using obvious information like your name, birthday, or common words.
Avoid Reusing Passwords: Use a unique password for each online account to prevent the compromise of multiple accounts if one gets hacked.
Use a Password Manager: Choose a reputable password manager to help remember multiple strong, unique passwords. It can generate and store secure passwords for all your online accounts.
Change Passwords Regularly: Even if your passwords are strong, change them regularly. Frequent updates make it harder for hackers to access your accounts unauthorized.
Conclusion
This data breach's implications reach beyond the immediate effects on 23andMe and its users. It serves as a stark reminder of the escalating threat of cyber-attacks and the importance of robust security measures for protecting sensitive personal data.
Monthly product updates in your inbox. No spam.
Keep reading
API security breaches
10 mins
LinkedIn Data Breach: 500 million Users Data on sale online and 2 million records Leaked
500 million LinkedIn profiles are being offered for sale on a well-known hacker forum, and an additional 2 million records have been leaked as a sample.
Insights
15 mins
Ensuring API security within the DevSecOps framework
This article aims to shed some light on the convergence of API security and DevSecOps, emphasizing the urgency of strong API security in the current digital landscape.
Insights
27 mins
Securing Cloud-Native Applications in DevSecOps
DevSecOps gives security teams the tools and practices to scale rapidly along with cloud native development. The end result is a robust combination of speed and protection applied from code committed to production runtime.
Learn from academy
What is API?
Types of APIs
REST API
GraphQL
JSON-RPC
XML-RPC
SOAP API
GraphQL vs REST
REST vs SOAP
GET Method
POST Method
PUT Method
DELETE Method
GET vs POST
PUT vs POST
HTTP Status Code
200 Status Code - OK
201 Status Code - Created
204 Status Code - No Content
301 Status Code - Moved Permanently
302 Status Code - Found
304 Status Code - Not Modified
307 Status Code - Temporary Redirect
400 Status Code - Bad Request
401 Status Code - Unauthorized
403 Status Code - Forbidden
404 Status Code - Not Found
500 Status Code - Internal Server Error
502 Bad Gateway
503 Status Code - Service Unavailable
504 Gateway Timeout
GraphQL Authentication and Authorization
GraphQL Query
GraphQL Mutation
GraphQL Introspection
GraphQL Pagination
GraphQL Subscription
GraphQL Fragment
API Documentation
Swagger for API Documentation
OpenAPI Specification
Authentication
Authorization