Scam of the day – January 7, 2024 – 23andMe Data Breach Update

by | Jan 6, 2024 | Scam of the day

In the Scam of the day for October 10, 2023 I told you that the genetic testing company 23andMe had suffered a data breach that compromised genetic and ancestry data of 6.9 million of its users and the apparent hackers had already offered for sale what they say is the stolen information on the Dark Web, that part of the Internet where criminals buy and sell goods and services.    The data breach appears to have been done by what is called credential stuffing which is when the passwords of people that have been compromised in earlier data breaches are used to access data at another site.  Failing to use a unique password for each of your accounts puts all of your accounts in jeopardy in the event of a data breach at any of your accounts.
The initial breach using stolen credentials only affected 14,000 23andMe customers, however, the hackers were able to access the data of the other affected customers though an opt-in feature of 23andMe by which customers automatically share some of their data with people who are considered relatives on the platform.
Now 23andMe,which incidentally has been sued in class actions over the data breach, is blaming victims of the data breach because of their use of previously used and compromised passwords saying that they are responsible for the data breach.  And while this data breach does not appear to have been totally due to faulty security of 23andMe, they are to be faulted for failing to anticipate and plan for such an attack and failing to encrypt the sensitive data they hold.
It is difficult to determine what kinds of use the hackers would make from the genetic data that had been compromised, however, along with the genetic data, it appears that the breach also included email addresses which would enable the cybercriminals to create believable, specifically tailored spear phishing emails using the compromised information to lure their victims into clicking on links or providing personal information that could result in identity theft or various types of malware attacks including ransomware.
TIPS
The lesson for companies, particularly those holding sensitive personal information is to encrypt such data as a protection against inevitable cyberattacks.
The lesson for all of us as individuals is to first, make sure we use a unique password for each of our online accounts and second, to also use dual factor authentication so that even in the event that a hacker manages to learn our password, the hacker would not be able to access the account merely by using the password.  Following the data breach 23andMe now requires the use of dual factor authentication which previously was only an option for its customers.
If you are not a subscriber to Scamicide.com and would like to receive free daily emails with the Scam of the day, all you need to do is to go to the bottom of the initial page of http://www.scamicide.com and type in our email address on the tab that states “Sign up for this blog.”