Read on Twitter
Thank you @lorenzofb @TechCrunch for discussing the 23andMe intrusion with me.
Here’s a breakdown thread with more of my thoughts:
1. What happened in this data leak?
2. What can orgs proactively do to prevent similar intrusions?
3. What can individuals do to limit their risk of account takeover in similar ways on other sites?
Here’s a breakdown thread with more of my thoughts:
1. What happened in this data leak?
2. What can orgs proactively do to prevent similar intrusions?
3. What can individuals do to limit their risk of account takeover in similar ways on other sites?
https://twitter.com/lorenzofb/status/1711746596826653182
1. What happened in this data leak?
Cyber criminals were able to find passwords that were involved in other breaches online and use a method called “credential stuffing” to attempt those previously breached and reused passwords on 23andMe to login as other users.
Unfortunately, most folks reuse their passwords across many sites and apps and when those passwords are stolen they can be used to gain access to your account anywhere else the password is used online.
The attackers took the passwords from other breaches, stuffed them into 23andMe and then used an opt-in feature called DNA Relatives to enumerate genetic data of similar groups.
23andMe doesn’t yet appear to be hacked itself, rather the formerly breached passwords reused by the 23andMe users allowed the attacker to gain access to user accounts by logging in as the user and stealing sensitive genetic data.
Cyber criminals were able to find passwords that were involved in other breaches online and use a method called “credential stuffing” to attempt those previously breached and reused passwords on 23andMe to login as other users.
Unfortunately, most folks reuse their passwords across many sites and apps and when those passwords are stolen they can be used to gain access to your account anywhere else the password is used online.
The attackers took the passwords from other breaches, stuffed them into 23andMe and then used an opt-in feature called DNA Relatives to enumerate genetic data of similar groups.
23andMe doesn’t yet appear to be hacked itself, rather the formerly breached passwords reused by the 23andMe users allowed the attacker to gain access to user accounts by logging in as the user and stealing sensitive genetic data.
2. What can organizations proactively do to prevent similar intrusions?
Companies have options to help their users avoid account takeover.
First, by @troyhunt allows for integrations with sites to warn users if their password is reused and findable online in a previous breach. This helps prevent users from reusing their passwords on a website. I highly recommend that companies use the integration to prevent password reuse on their own site — because remember, everyday folks don’t understand the difference between a credential stuffing attack that leads to account takeover and data leaks vs the site itself being hacked/breached with malware, etc. It’s in an org’s best interest to prevent password reuse on their site to avoid the negative impacts of data leaks no matter what (because a data leak will impact a brand regardless of the attack method in use).
Second, using a website without MFA on should feel like driving a car without your seatbelt on — obvious and with a clear next action. If your users don’t have MFA on, make it extremely clear and easy to turn MFA on. I thank @CISAJen @boblord @CISAJen for the car analogy.haveibeenpwned.com
Companies have options to help their users avoid account takeover.
First, by @troyhunt allows for integrations with sites to warn users if their password is reused and findable online in a previous breach. This helps prevent users from reusing their passwords on a website. I highly recommend that companies use the integration to prevent password reuse on their own site — because remember, everyday folks don’t understand the difference between a credential stuffing attack that leads to account takeover and data leaks vs the site itself being hacked/breached with malware, etc. It’s in an org’s best interest to prevent password reuse on their site to avoid the negative impacts of data leaks no matter what (because a data leak will impact a brand regardless of the attack method in use).
Second, using a website without MFA on should feel like driving a car without your seatbelt on — obvious and with a clear next action. If your users don’t have MFA on, make it extremely clear and easy to turn MFA on. I thank @CISAJen @boblord @CISAJen for the car analogy.haveibeenpwned.com
3. What can individuals do to limit their risk of account takeover in similar ways on other sites?
- Avoid password reuse. Use long, random, and unique passwords on each site, generated and stored by/in a password manager. Or use passkeys anywhere they’re offered to avoid passwords altogether when you can.
- Use the right MFA for your threat model/digital literacy on every site and tool you use. For many people, that’s at least app-based MFA. Even SMS 2FA is better than nothing for many credential stuffing focused attacks. FIDO solutions are a great match for many people — I personally enjoy using @Yubico YubiKeys.
- Sign up for to get alerts when your usernames, email addresses, or passwords turn up in a breach, then change those passwords immediately and ensure MFA is on those accounts.
- Avoid password reuse. Use long, random, and unique passwords on each site, generated and stored by/in a password manager. Or use passkeys anywhere they’re offered to avoid passwords altogether when you can.
- Use the right MFA for your threat model/digital literacy on every site and tool you use. For many people, that’s at least app-based MFA. Even SMS 2FA is better than nothing for many credential stuffing focused attacks. FIDO solutions are a great match for many people — I personally enjoy using @Yubico YubiKeys.
- Sign up for to get alerts when your usernames, email addresses, or passwords turn up in a breach, then change those passwords immediately and ensure MFA is on those accounts.
This is all about harm reduction, find the password manager and MFA strategy that works for you, your team, and your family/friends according to your threat model and digital literacy.
If you work at a company and are in charge of preventing similar credential stuffing intrusions — talk with your team about implementing the integration to detect and prevent password reuse.
Discuss how you can make using your site without MFA more like driving a car without a seatbelt.
If you work at a company and are in charge of preventing similar credential stuffing intrusions — talk with your team about implementing the integration to detect and prevent password reuse.
Discuss how you can make using your site without MFA more like driving a car without a seatbelt.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
