The recent data breach from the genetic testing service 23andMe offers an ominous warning about the frail cybersecurity measures protecting people’s increasingly sensitive data.
A database posted on a hacker forum last week lists 999,999 alleged Ashkenazi Jewish users of 23andMe, and while the company says there’s no evidence that someone broke into its computer systems, the simpler explanation for the massive theft raises its own questions about how tech companies protect customers’ information — or choose not to.
That simpler explanation? According to 23andMe, the hackers likely found usernames and passwords stolen from other services and checked whether some of those people used the same credentials on the genetic testing site. Given how often people reuse passwords, this technique — what cybersecurity experts call “credential stuffing” — probably led to a lot of successful logins.
From there, the intruders could have used a 23andMe feature called “DNA Relatives” to pull up the records of people whose genetic data bore some faint similarity to those of the hacked users. Depending on how many people’s accounts the hackers were able to breach through credential stuffing, DNA Relatives could have given them information on hundreds of thousands of users.
The stolen data includes people’s first and last names, gender identities, birth years and current locations, as well as numerical strings corresponding to two forms of genetic testing, Y-chromosome DNA and mitochondrial DNA. The Messenger was unable to confirm the accuracy of the database, but the fact that the first three entries are for SpaceX CEO Elon Musk, Facebook CEO Mark Zuckerberg and Google co-founder Sergey Brin suggests that the hackers might have inserted fake celebrity records to attract media attention.
Regardless, the remarkably simple technique that the hackers employed to steal sensitive information highlights the fact that major tech companies continue to ignore urgent recommendations for protecting their users.
One security measure that could have stopped the hackers in their tracks is multi-factor authentication, which requires users to enter a randomly generated code after typing in their password. This code, often sent via text message or accessed in a smartphone app, effectively renders a stolen password useless by itself. With that protection, a 23andMe user would be effectively impervious to the password-guessing technique that the hackers used. The intruders would have had to contact individual users and trick them into handing over their MFA codes immediately (the codes reset very quickly), which would have considerably reduced their success rate.
MFA is the single most widely and urgently recommended cybersecurity measure on the internet. Microsoft and Google both report that the technique blocks virtually all cyberattacks. But the 23andMe hack is the latest reminder that this pressing security advice usually falls on deaf ears, as users ignore advice that could make their online experiences slightly more complicated.
And it’s not just the users of services like 23andMe that are ignoring experts’ recommendations at their peril. Tech companies also regularly choose to keep their services easy to use — “frictionless” in Silicon Valley jargon — rather than making them safer.
In June, the FBI, the NSA and the Cybersecurity and Infrastructure Security Agency , along with international partners, released a set of recommendations for how companies could better protect their users, their data and their services. One of the agencies’ advice for being “secure by default” was to require the use of MFA by administrator accounts, which have special powers inside organizations and are top targets for hackers.
But companies have been slow to adopt these governments’ recommendations, despite increasing evidence that they would prevent countless cyberattacks. The companies cite cost and user confusion as reasons for holding off — arguments that security experts say are increasingly untenable in a world where people are handing over more data to third parties like 23andMe.
Given the sensitivity of genetic testing results, 23andMe could have mandated MFA for all of its users and argued that the protection was necessary. It’s unclear why 23andMe chose not to do this — it already offers MFA as an option — but it could be that, like many other tech companies, it wanted to placate users who prioritize convenience over security. A 23andMe spokesperson did not answer multiple inquiries from The Messenger about MFA.
There are still many unanswered questions about the 23andMe data breach. It’s unclear what bad actors could do with the limited information in the publicly available database, although U.S. government agencies have warned that thefts of genetic data carry serious risks, including exploitation by foreign adversaries like China. It’s also unclear whether the leak of the database, which is described as containing information only on Ashkenazi Jews, is related to Palestinian militants’ deadly Oct. 7 surprise attack on Israel, which has swiftly become a major conflict.
One thing that’s clear is that the theft of 23andMe records highlights a gap in the security measures used by companies that store sensitive health information. Government experts have tried to encourage genetic testing firms and other members of the so-called “bioeconomy” to improve their cybersecurity by offering free advice and guidance, and the cybersecurity industry is also trying to help these companies counter rapidly growing threats. The White House is even considering declaring bioeconomy as its own “critical infrastructure” sector like energy or finance, which would elevate federal oversight of the industry.
Absent some new combination of government oversight and voluntary compliance with experts’ recommendations, however, companies like 23andMe will likely remain tempting targets for hackers with nebulous but potentially dangerous agendas.