Is the genetic testing specialist 23andMe in bad faith? In a letter dating from mid-December and recently revealed by TechCrunch, the company tries to minimize its responsibilities after the data leak which affected it this fall. The latter resulted in the sale of the profile information of half of its customers on black markets.
For 23andMe, this data leak would in fact be primarily due to the negligence of its users in reusing old passwords. “Consequently, the incident is not due to an alleged failure by 23andMe to guarantee reasonable IT security,” summarizes the company, which now faces around thirty legal proceedings, according to the American press.
Credential stuffing
Hackers managed to gain fraudulent access to 14,000 user accounts through a credential stuffing attack. This method involves testing combinations of usernames and passwords that have already been leaked on other platforms.
This attack allowed hackers, through the use of information sharing functionalities between users, to get their hands on information relating to half of the platform’s users.
If the genetic data of this service offering DNA analysis was not affected, the hackers were able to have access to the user name, his year of birth, his percentage of DNA shared with relatives, photos in profile and for some of their victims (1.4 million), their family trees, sometimes with years of birth and location data.
Classic attack
This attempt at clearance is obviously not to the taste of the lawyers of the victims of the data leak. “23andMe knew or should have known that many consumers use recycled passwords,” notes Hassan Zavareei, quoted by TechCrunch. Given the sensitive information stored on the site, the company should also have taken measures against credential stuffing, he continues.
This kind of attack is indeed a classic. The recipes for stopping them are well known, from detecting, noticing an unexpected flood of simultaneous login attempts, to forcefully resetting all passwords.
The activation of double authentication, finally imposed by 23andMe after the hack, also helps to pull the rug out from under cybercriminals. The company could finally have forced its users to choose a strong password. A way to push them to create or generate a password different from those used on less careful services.