Summary:
The British and Canadian privacy authorities are collaborating on an investigation into a data breach at 23andMe, a genetic testing company, discovered in October 2023. Cybercriminals accessed information from certain accounts, including DNA profiles, affecting about 0.1% of 23andMe's users. The breach occurred through credential stuffing, where stolen username and password combinations were used. Some accessed data contained health-related information based on genetics. 23andMe faced criticism for blaming victims in its response. The joint investigation will assess the breach's scope, the adequacy of 23andMe's safeguards, and its notification procedures under Canadian and UK privacy laws. Users are encouraged to check for their exposed data using a digital footprint portal.

Security Officer Comments:
Between 2013 and 2020, 23andMe experienced multiple security breaches that compromised sensitive customer information. In June 2013, an unauthorized party accessed its database containing approximately 104 million DNA samples and associated customer data, affecting around 4.5 million individuals. The breach was discovered on May 31, 2013. Five years later, in April 2019, another breach occurred, this time compromising the personal information of roughly 50 million customers, including names, email addresses, hashed passwords, and some genetic data. Just a year after that, in June 2020, yet another breach was announced, affecting an estimated 50 million individuals once again, with similar types of compromised data. Additionally:

1. Ancestry.com: In 2019, Ancestry.com disclosed that it had been hacked, compromising user data including names, email addresses, and passwords.
2. MyHeritage: In October 2020, MyHeritage announced that its database was breached in January 2020, exposing the personal information of approximately 92 million users.
3. FamilySearch: In February 2019, FamilySearch disclosed a data breach affecting around 1.5 million users, with compromised data including names, email addresses, and passwords.

Genetic testing companies house sensitive personal data, including names, emails, passwords, and DNA profiles, making them lucrative targets for cybercriminals. This data holds value on the dark web for identity theft, medical fraud, and genealogy exploitation. Regulatory gaps and lax security practices create an environment ripe for cyberattacks, compounded by the high profiles of these companies and the aggregation of vast data sets, facilitating breaches across multiple fronts.

Suggested Corrections:
The attack is thought to have been carried out by what is known as a password spraying attack, where hackers exploit reused passwords from previous breaches to gain unauthorized access. 23andMe should implement Multi-Factor Authentication (MFA). MFA adds an extra layer of security by requiring users to provide additional verification beyond passwords, such as a code sent to their phone. This prevents unauthorized access even if passwords are compromised. Additionally, educating users about the risks of password reuse and promoting the use of unique, strong passwords can further enhance security measures and protect against breaches. By combining MFA enforcement with user education, 23andMe can effectively mitigate the threat of password spraying attacks and safeguard user data.

Link(s):
https://www.malwarebytes.com/blog/n...ch-under-joint-investigation-in-two-countries