Full Report
California Attorney General Rob Bonta filed a lawsuit against 23andMe, now Chrome Holding Co., over the company's failure to protect sensitive customer genetic and personal information. [...]
Analysis Summary
# Incident Report: 2023 23andMe Genetic Data Breach
## Executive Summary
In 2023, 23andMe (now Chrome Holding Co.) suffered a significant data breach exfiltrating the sensitive genetic and personal information of approximately 6.9 million customers. The breach was executed via a credential-stuffing attack that exploited a "DNA Relatives" feature to gain access to a larger pool of data. The fallout led to massive regulatory fines, a lawsuit from the California Attorney General, and the company eventually filing for bankruptcy.
## Incident Details
- **Discovery Date:** October 2023
- **Incident Date:** Ongoing throughout 2023 (revealed in October)
- **Affected Organization:** 23andMe (now Chrome Holding Co.)
- **Sector:** Genetics, Biotechnology, and Healthcare
- **Geography:** Global (with significant impact on California, USA)
## Timeline of Events
### Initial Access
- **Date/Time:** Pre-October 2023
- **Vector:** Credential Stuffing
- **Details:** Threat actors used lists of usernames and passwords leaked from other platforms to gain access to accounts where users had reused credentials.
### Lateral Movement
- **DNA Relatives Feature:** Once inside accounts with weak security, attackers exploited the "DNA Relatives" feature. Due to a coding error in this feature, attackers were able to scrape and access data of relatives connected to the initial compromised accounts.
### Data Exfiltration/Impact
- **Exfiltration:** Threat actors extracted genetic data, health predispositions, ancestry information, and DNA match records for 6.9 million users.
- **Evidence:** Samples of the stolen data were posted/offered for sale on hacker forums in October 2023 to prove authenticity.
### Detection & Response
- **Discovery:** Public discovery occurred after threat actors leaked data samples online.
- **Response actions taken:** 23andMe confirmed the breach, initially blaming user password hygiene, and later faced multiple class-action lawsuits and regulatory investigations.
## Attack Methodology
- **Initial Access:** Credential Stuffing (exploiting password reuse).
- **Persistence:** Access maintained through authenticated user sessions.
- **Credential Access:** Automated trial of stolen credentials from external breaches.
- **Discovery:** Identification of the "DNA Relatives" feature to expand data access.
- **Collection:** Automated scraping of genetic and personal profiles.
- **Exfiltration:** Mass download of sensitive customer datasets.
- **Impact:** Massive privacy violation exposing health and ancestry data of millions.
## Impact Assessment
- **Financial:** Multi-million-dollar fines from national data protection authorities; potential statutory penalties of $1,000–$7,500 per violation in California.
- **Data Breach:** Exposure of highly sensitive genetic, health, and ethnicity data for ~6.9 million people.
- **Operational:** Company filed for bankruptcy in 2024 following the fallout.
- **Reputational:** Severe; the company was accused of making misleading public statements and downplaying the severity of the breach.
## Indicators of Compromise
- **Behavioral indicators:** Unusual account login patterns (high volume of failed logins from diverse IPs typical of credential stuffing); high-volume data scraping within the DNA Relatives feature.
## Response Actions
- **Containment:** Updates to the platform (though the AG alleges a failure to implement "reasonable safeguards" promptly).
- **Eradication:** Remediation of the coding error in the DNA Relatives feature.
- **Recovery:** Transition of the company through bankruptcy proceedings and legal defense.
## Lessons Learned
- **Feature Security:** Features that link users (like "DNA Relatives") must have strict access controls and rate limiting to prevent bulk scraping.
- **Responsibility:** Companies cannot shift the blame entirely to users for password reuse; Multi-Factor Authentication (MFA) should be mandatory for sensitive health data.
- **Transparency:** Downplaying a breach or making misleading statements about data "publicly available" can lead to increased legal and regulatory penalties.
## Recommendations
- **Mandatory MFA:** Implement Multi-Factor Authentication for all accounts containing sensitive PII or health data.
- **Credential Stuffing Defenses:** Deploy bot detection and rate-limiting to identify and block automated login attempts.
- **Data Minimization:** Limit the amount of data accessible through "relative" or "social" features by default.
- **Continuous Monitoring:** Implement robust anomaly detection to identify when a single account is accessing an unusual amount of data from other users.