The genetic testing company 23andMe has suffered a data breach that compromised a million data points of Ashkenazi Jews including, if accurate, Mark Zuckerberg and Elon Musk and the apparent hackers are already offering for sale what they say is the stolen information on the Dark Web, that part of the Internet where criminals buy and sell goods and services. The data breach appears to have been done by what is called credential stuffing which is when the passwords of people that have been compromised in earlier data breaches are used to access data at another site. Using a unique password for all of your accounts is essential for this very reason and if it is indeed accurate that Zuckerberg’s and Musk’s accounts were hacked, it is surprising that such technologically sophisticated people such as them failed to follow that very basic precaution of using a unique password for each of your accounts. Failing to use a unique password for each of your accounts puts all of your accounts in jeopardy in the event of a data breach at any of your accounts.
And while this data breach does not appear to have been due to faulty security of 23andMe, they are to be faulted for failing to plan for such an attack and failing to encrypt the sensitive data they hold.
It is difficult to determine what kinds of use the hackers would make from the genetic data that had been compromised, however, along with the genetic data, it appears that the breach also included email addresses which would enable the cybercriminals to create believable, specifically tailored spear phishing emails to lure their victims into clicking on links or providing personal information that could result in identity theft or various types of malware attacks including ransomware.
The lesson for companies, particularly those holding sensitive personal information is to encrypt such data as a protection against inevitable cyberattacks.
The lesson for all of us as individuals is to first, make sure we use a unique password for each of our online accounts and second, to also use dual factor authentication so that even in the event that a hacker manages to learn our password, the hacker would not be able to access the account merely by using the password.
If you are not a subscriber to Scamicide.com and would like to receive free daily emails with the Scam of the day, all you need to do is to go to the bottom of the initial page of http://www.scamicide.com and type in our email address on the tab that states “Sign up for this blog.”