Full Report
California AG claims genetics biz downplayed 2023 mega-leak while paying ransom to attacker
Analysis Summary
# Incident Report: 2023 23andMe Credential Stuffing & Data Scraping Incident
## Executive Summary
In 2023, genetic testing company 23andMe suffered a major data breach originating from credential-stuffing attacks on approximately 14,000 accounts. By exploiting the "DNA Relatives" feature, the attacker was able to scrape the sensitive personal and genetic information of nearly 7 million users. The California Attorney General has filed a lawsuit alleging the company failed to implement basic security controls, misled consumers about the breach's severity, and downplayed the incident while secretly paying a ransom to the threat actor.
## Incident Details
- **Discovery Date:** Approximately five months after initial access
- **Incident Date:** April 2023 – September 2023 (Ongoing for 5 months)
- **Affected Organization:** 23andMe (now Chrome Holding Co.)
- **Sector:** Healthcare / Genetics / Biotechnology
- **Geography:** Global (Headquartered in California, USA)
## Timeline of Events
### Initial Access
- **Date/Time:** Early-to-mid 2023
- **Vector:** Credential Stuffing
- **Details:** Threat actors used usernames and passwords exposed in previous, unrelated third-party breaches to gain unauthorized access to ~14,000 23andMe accounts that did not have Multi-Factor Authentication (MFA) enabled.
### Lateral Movement
- **Details:** The attacker did not move laterally through the server infrastructure in a traditional sense; instead, they leveraged the "DNA Relatives" feature. By compromising a single account, the attacker could view and scrape data of all accounts linked as "relatives" to that user.
### Data Exfiltration/Impact
- **Details:** Data for approximately 6.9 million users was exfiltrated. This included sensitive genetic ancestry details, family histories, and health conditions. Specifically targeted lists (e.g., users of Jewish and Chinese descent) were later advertised for sale on dark web forums.
### Detection & Response
- **Discovery:** The intrusion went undetected for five months. It was identified after the threat actor "Golem" posted data samples on a cybercrime forum.
- **Response actions taken:** The company negotiated with the attacker, paid a ransom for the removal of online posts and vulnerability information, and eventually implemented prompts for MFA, though it was not initially mandated.
## Attack Methodology
- **Initial Access:** Credential Stuffing (exploiting password reuse).
- **Persistence:** Sustained access to compromised user accounts over a 5-month period.
- **Privilege Escalation:** Not applicable (Abuse of legitimate user features).
- **Defense Evasion:** Bypassed detection by using legitimate login portals and mimicking standard user behavior to scrape data.
- **Credential Access:** Automated login attempts using leaked credentials.
- **Discovery:** Used the "DNA Relatives" feature to map out connections and identify additional victims.
- **Lateral Movement:** "Feature-based" movement; jumping from one compromised account to millions of related profiles.
- **Collection:** Bulk downloading/scraping of genetic and personal profiles.
- **Exfiltration:** Data posted and sold on dark web forums.
- **Impact:** Massive privacy breach; exposure of sensitive ethnic and health data.
## Impact Assessment
- **Financial:** $30 million settlement in 2024; £2.3 million ($3.09M) fine from UK ICO; ongoing litigation from California AG.
- **Data Breach:** ~7 million records containing PII and genetic data.
- **Operational:** Structural changes; company transitioned into "Chrome Holding Co." and assets were acquired by TTAM Research Institute following bankruptcy filings.
- **Reputational:** Severe damage due to claims that the company blamed customers for "recycling credentials" and downplayed the sensitivity of the data.
## Indicators of Compromise
- **Behavioral indicators:** Unusual volumes of "DNA Relatives" profile views; high-frequency logins from IPs associated with known credential-stuffing botnets; bulk data export requests from individual user accounts.
## Response Actions
- **Containment measures:** Disabled the "DNA Relatives" feature temporarily during the investigation.
- **Eradication steps:** Forced password resets and implemented regular MFA prompts.
- **Recovery actions:** Notified affected users; entered into a $30 million settlement to provide compensation and credit monitoring.
## Lessons Learned
- **MFA is Critical:** Sensitive data (especially genetic/health info) should never be protected by a password alone.
- **Detection Gap:** A five-month dwell time for a scraper is unacceptably long; rate-limiting and behavioral monitoring for bulk data access were insufficient.
- **Transparency Matters:** Attempting to shift blame to customers for "poor password hygiene" while paying a secret ransom created a significant trust deficit and invited regulatory scrutiny.
## Recommendations
- **Mandatory MFA:** Enforce Multi-Factor Authentication for all accounts containing PII or sensitive health data.
- **Anti-Scraping Controls:** Implement strict rate-limiting and CAPTCHAs on features that allow users to view other users' data in bulk.
- **Anomaly Detection:** Deploy monitoring tools to flag accounts that access an unusually high number of "relative" profiles in a short window.
- **Third-Party Risk/Credential Monitoring:** Proactively monitor for leaked corporate credentials on the dark web to alert users to change passwords before they are exploited.