23andMe Data Leak: Brute Force Attack Details and Prevention
In early October 2023, the genomics and biotechnology company 23andMe faced a substantial data breach. Read on to see the attack details and prevention.
Medusa
5 mins
Introduction 23andme Data Leak
In early October 2023, 23andMe, a leading company that provides personal genetic testing services, faced a substantial data breach. It confirmed that user data from their platform was found on hacker forums. The company confirmed a credential-stuffing attack as the cause of this data breach, marking a significant concern for both the company and its users.
What happened during 23andme data leak?
A cybercriminal, known as Golem, claimed to have leaked data records of approximately four million 23andMe users on a notorious cybercrime forum, BreachForums. This data purportedly included sensitive information such as genetic data and personal identifiers. The breach was a result of a credential stuffing attack, where previously leaked login credentials were used to gain unauthorized access.
Scope and Impact of the data leak
The scope of this data breach was initially limited, with the attacker leaking 1 million lines of Ashkenazi people's data. However, the scope expanded when the attacker proposed selling large amounts of data profiles, pricing between $1 and $10 per 23andMe account, depending on the quantity purchased. The data exposed included sensitive user information such as full names, usernames, profile photos, sex, date of birth, geographical locations, and genetic ancestry results.
Upon discovering the breach, a spokesperson from 23andMe confirmed the authenticity of the data found on hacker forums. The company has been open about the nature of the attack, that the attackers utilized credentials exposed in other data breaches to infiltrate 23andMe accounts and pilfer sensitive data.
Genetic data on sales in hacker forums
What is a credential-stuffing attack?
In a credential-stuffing attack, attackers utilize stolen account credentials, such as usernames and passwords, that have been obtained from other data breaches. These ill-gotten credentials are then used in large-scale automated login attempts against a targeted web application, in this case, the 23andMe platform. The objective of such an attack is to gain unauthorized access to user accounts, often leading to misuse of sensitive personal information.
Some similar breaches
Linkedin Users Data Breach
Paypal Data Breach
Norton Lifelock Data Breach
The Method of Attack: Brute Forcing and the Absence of Rate Limiting
The breach was facilitated through a method known as brute forcing, which involves systematically trying all possible combinations of usernames and passwords until the correct one is found. This was possible because of the absence of rate limiting, a security measure that restricts the number of login attempts within a certain timeframe. It seems 23andMe didn’t have proper rate limiting in place on login API because of which the attackers were able to continuously attempt logging in without any hindrance, thereby making the attack feasible.
Monthly product updates in your inbox. No spam.
What is Rate Limiting on an API?
Rate limiting is a security measure that limits the number of login attempts within a specified timeframe. It is part of the OWASP API Top 10 vulnerabilities. If rate limiting is not properly implemented or absent, it can lead to a vulnerability where an attacker can continuously attempt to log in without any restriction. This makes brute force attacks, where an attacker systematically tries all possible combinations of usernames and passwords, feasible. This lack of rate limiting was one of the key factors that facilitated the 23andMe data breach.
Security Measures Implemented by 23andMe post attack
23andMe has added two-factor authentication as an extra layer of security and strongly urges all users to activate this feature. Two-factor authentication (2FA) is a security measure that requires a user to provide two different types of information to access an account. Typically, this involves something the user knows, like a password, and something the user has, like a mobile device that can receive a verification code. This method significantly enhances the security of an account as even if a hacker obtains the user's password, they would still need the second factor (like the mobile device) to gain access to the account.
Key Measures to such Prevent Breaches in Organizations
Continuous Security testing: Continuously test your APIs for vulnerabilities before deploying in production. To find and mitigate vulnerabilities such as rate limiting, use API Security platforms such as Akto.
Implement Rate Limiting: As a developer, restrict the number of login attempts within a certain timeframe to prevent brute-force attacks.
Use Two-Factor Authentication: Implement two-factor authentication for an extra layer of security. This ensures that even if a hacker obtains a user's password, they would still need the second factor to access the account.
Encrypt Data: Encrypt sensitive user data both at rest and in transit to protect the data, making it unreadable without the encryption key, even if a breach occurs.
How Can Users Protect Themselves?
Create Strong Passwords: Include a mix of uppercase and lowercase letters, numbers, and symbols in your password. Make it difficult for others to guess, and avoid using obvious information like your name, birthday, or common words.
Avoid Reusing Passwords: Use a unique password for each online account to prevent the compromise of multiple accounts if one gets hacked.
Use a Password Manager: Choose a reputable password manager to help remember multiple strong, unique passwords. It can generate and store secure passwords for all your online accounts.
Change Passwords Regularly: Even if your passwords are strong, change them regularly. Frequent updates make it harder for hackers to access your accounts unauthorized.
23andme data leak Conclusion
This data breach's implications reach beyond the immediate effects on 23andMe and its users. It serves as a stark reminder of the escalating threat of cyber-attacks and the importance of robust security measures for protecting sensitive personal data.
Keep reading
News
7 mins
March Product News: 98 New Tests, Dynamic wordlists, and more
This edition of Akto’s newsletter is packed with new features and tests that will greatly decrease your API Security testing time and increase targeted testing.
Product updates
5 mins
Detailed Errors on Postman and Swagger File Import
Akto now replays APIs to automatically get data during an import of Postman and Swagger files and transparently displays reasons why each specific API couldn't be replayed in the case of an error.
Product updates
5 mins
Added 98 New API Security Tests across 5 OWASP categories
Akto has introduced new tests across several categories including BOLA, Broken Authentication, Unrestricted Resource Consumption, BFLA, and SSRF that you can explore with Akto’s Test Editor.