What is Credential Stuffing? A Look Into the Cyber Attack on 23andme Users
News & Events
On October 6th, the genetic testing company, 23andme, announced that it had suffered a cyber attack which impacted hundreds of user accounts. Though we typically hear such an announcement from a company in which they disclose that a data breach of their systems took place or that a cyber crook found a vulnerability of the company’s networks which they then exploited, this attack is unique in that data was compromised, but not due to a security error or breach of this company.
The tactic used by cybercriminals in carrying out this attack on some of the 23andme users is known as credential stuffing. In a credential stuffing attack, malicious actors obtain stolen login information from one company’s data breach and then utilize this user data to attempt to gain access to other accounts that are unrelated to the original site. Credential stuffing can be done either by an attacker who previously breached a company’s networks or by purchasing already stolen data on the dark web. This strategy has been gaining popularity among hackers due to the simple fact that it is working for them; these credential stuffing attacks are successful for their perpetrators because so many individuals use the same or very similar login credentials across their myriad accounts. A Google poll found that 65% of adults reused passwords across different accounts – 13% of which admitted to reusing the same password for every single one of their online accounts.
In addition to credential stuffing, these cybercriminals obtained access to more 23andme accounts by data scraping. Data scraping occurs when data is taken from one source and saved into a separate file, often without the knowledge or authorization of the original source site or specific affected users; in this case, data was scraped from the website’s DNA Relatives feature. This optional feature allows users to find their “Relatives in Common™”, in which the company locates genetic relatives and helps users to determine how different people might be related to them. Since the attack, there are a few temporarily disabled features in order to aid in protecting user privacy; while 23andme is doing a good job of assisting their users in navigating their site safely, it is important for users of this site as well as any site for that matter to take their cybersecurity into their own hands.
Use unique passwords for each account - Due to this step being so simple, many people overlook it; however, proper password hygiene is the cybersecurity step every individual needs to be sure they implement it in their own personal security journey. The victims of this cyber attack unfortunately repeated login credentials from one account to another and this was the exact issue that caused their 23andme data to be compromised. Be sure to make each password strong (via the use of upper and lower case letters, numbers, and symbols) and very different from one to another.
Use a password manager - Keeping up with multiple, strong, unique passwords can be an overwhelming feat – it is the reason that so many folks do not have strong password hygiene. There are plenty of things to remember in life and adding more and more account passwords to that list is a little daunting for many of us. To help with making this step easier, try creating passwords that are passphrases instead of passwords (i.e. a sentence that you can remember with different letters capitalized and/or characters or numbers put in place of some of the letters). Even still, remembering a passphrase for every account you have is a lot. To assist even further with your own personal password hygiene, use a password manager; a password manager is a database for all of your passwords and this is protected by one complex password. When utilizing this tool, be sure to make your master password something that is unique to all other passwords stored within it, something hard to guess, and chiefly, something you will remember. This makes the task of having proper password hygiene a bit more manageable as you can have all of your unique passwords stored in a secure location where you won’t forget them.
Utilize two-factor authentication - As suggested by 23andme following this attack, two-factor authentication should be used whenever possible. This is a key element in protecting your data from this attack in particular; credential stuffing is reliant on poor password hygiene and though the affected users need to be sure to use a different password for every account going forward, had they implemented two-factor authentication for their account, the cybercriminals would have been stopped in their tracks. Two-factor (or multi-factor) authentication is when you get a one-time code sent to a linked contact source such as your phone number or email address. This adds maybe a minute to your login time each time you access a certain account but increases the protection on your own data significantly. Utilize this tool whenever possible to further protect yourself from credential stuffing and other emerging threats.
Image by kjpargeter for Freepik.
