Here’s how the 23andMe hack happened and how different login-access control solutions could have stopped it. On Oct. 10, 2023, 23andMe announced that bad actors had stolen . Even more shocking, the hackers were selling this data—including names, photos, locations, and genetic ancestry information of 23andMe users—on the dark web, potentially opening up the victims to being targeted based on their ethnicity. the personal, genetic, and ethnic data of millions of users This article looks at how the 23andMe hack happened and, most importantly, how various login-access control technologies could have helped 23andMe prevent this hack from happening in the first place. How Did Hackers Break Into 23andMe? The 23andMe hackers used “credential stuffing,” an exploit that relies on the fact that most people use the same username/password combinations on different websites. Basically, the hackers take a list of username/password combinations from another website that was hacked, and they try them out on the website they want to target. A good example of this is the . This is a publicly available dark web file with 8.4 billion stolen credentials from different websites. Chances are, you have some compromised credentials on this list or another one, which is why it’s so important to use a unique password on every website. RockYou2021 database , “Online posts offering the data for sale in underground forums said buyers could acquire 100 profiles for $1,000 or as many as 100,000 for $100,000.” The breach impacted approximately 14 million accounts. According to the Washington Post Why Was 23andMe Vulnerable to Credential Stuffing? According to : TechCrunch “23andMe blamed the incident on its customers for reusing passwords, and an opt-in feature called , which allows users to see the data of other opted-in users whose genetic data matches theirs. If a user had this feature turned on, in theory, it would allow hackers to scrape data on more than one user by breaking into a single user’s account.” DNA Relatives If you’re guilty of reusing passwords (most of us are), then you’re vulnerable to this kind of hack. But blaming the customer for bad password practices isn’t really fair. 23andMe accounts with strong passwords were also vulnerable. Because of how the “DNA Relatives” program connected user data, the accounts with weak passwords exposed those with strong passwords. Ultimately, relying on users to adopt good password practices is a losing strategy when it comes to access control. According to recent statistics: of people reuse the same password across all accounts ( 13% y) 2019 Google stud use the same for multiple accounts ( 52% ) 2019 Google study (the responsible ones) use a different password for every account ( Only 35% ) 2019 Google study of confirmed breaches in 2022 were due to weak, reused, or stolen passwords 81% ( ) LastPass report Given these statistics, it’s easy to conclude that website managers rely on users to develop good password practices. This puts a clear responsibility on website owners to implement better login/access measures. cannot What About Password Managers Like 1Password? Password managers offer a great solution for spinning up and keeping track of unique passwords. Most web browsers include a free password manager, and there are paid services like . But you can’t force every customer to use a password manager. On social media platforms and sites like 23andMe—where customers connect and automatically share personal information—the users who fail to adopt good password practices will endanger the ones who do. 1password Also, password managers aren’t foolproof. If a hacker captures the master password, they get EVERYTHING. Phishing attacks—where you click a malicious link and expose your credentials—are also a problem. Dr. Siamak Shahandashti from the Department of Computer Science at the University of York in the following statement: highlighted these vulnerabilities “Vulnerabilities in password managers provide opportunities for hackers to extract credentials, compromising commercial information or violating employee information. Because they are gatekeepers to a lot of sensitive information, rigorous security analysis of password managers is crucial. “Our study shows that a phishing attack from a malicious app is highly feasible – if a victim is tricked into installing a malicious app it will be able to present itself as a legitimate option on the autofill prompt and have a high chance of success.” Ultimately, password managers are better than nothing—and they can help you stay , but even the users with password managers were vulnerable in the 23andMe attack because of the way user accounts interconnected and shared personal information. safer Something more has to be done to protect account access by the websites themselves. What About Multi-Factor Authentication (MFA)? To increase login security, a lot of websites use multi-factor authentication (MFA). There are many types of MFA, and the most popular solutions involve sending a temporary 2-factor (2FA) passcode by text message or email, forcing users to carry out an additional yet tedious authentication step. 23andMe didn’t offer MFA to its users. But even if they had, text-message and email-based MFA solutions aren’t as secure as they used to be. In most cases, email is only secured by a password. Also, it’s relatively common for hackers to gain control of a smartphone through SIM swapping. In fact, this is what happened in the : recent hack of the SEC’s Twitter account Researchers also agree that text message-based MFA is increasingly vulnerable to hacks. According to the cybersecurity firm : Proofpoint “Contrary to what one might anticipate, there has been an increase in account takeovers among tenants that have MFA (multi-factor authentication) protection,” researchers from security firm Proofpoint said in a report. “Based on our data, at least 35% of all compromised users during the past year had MFA enabled.” Because of these vulnerabilities, companies are now warning against using 2-factor strategies that use voice or text message authentication. , Microsoft’s director of identity security: like Microsoft According to Alex Weinert “These mechanisms [text message-based 2FA strategies] are based on publicly switched telephone networks (PSTN), and I believe they’re the least secure of the MFA methods available today. That gap will only widen as MFA adoption increases attackers’ interest in breaking these methods […] It bears repeating, however, that – we are discussing MFA method to use, not to use MFA. ” MFA is essential which whether What About Physical Security Keys Like YubiKey? Physical security keys—such as the —are small devices that you connect to your phone or computer. These add an additional physical “factor” to the multifactor authentication process. Many companies, like Google, require employees to use Yubikeys when logging into their work accounts. If a user doesn’t connect the key, they can’t gain access. Yubikey from Yubico Physical security keys add a powerful layer of security. However, the larger an organization gets, the more expensive these strategies become. Priced at $50 up to $105 a key, furnishing Yubikeys to every employee of a large organization is expensive. Also, the delays and management hassles of sending and replacing keys create a significant burden. Then you have public websites—like 23andMe—with millions of users. Requiring every user of a public website or social media platform to buy a $50 hardware device is out of the question. What About Comprehensive Security Solutions Like Cisco Duo? and other comprehensive security services offer high-quality two-factor authentication (2FA) and other authentication tools to enhance login security far beyond passwords. Users confirm access through additional steps like phone calls, push notifications, and physical security keys. Cisco Duo Comprehensive security services like Duo are ideal for businesses with controlled user bases. However, scaling them to work for millions of users on a website like 23andMe or Facebook wouldn't be practical from a cost perspective. Here’s why: Comprehensive security services like Duo charge per user. Charging for millions of accounts wouldn’t be practical from a business perspective. Scaling costs: Duo's multi-step authentication can deter some users, especially those unfamiliar with 2FA. User friction: Managing millions of Duo accounts requires dedicated infrastructure and resources. Operational complexity: What About an Authenticator App Solution Like Google Authenticator? Mandating a 2FA solution like Google Authenticator could have been an affordable way to protect 23andMe users. However, it’s important to note that Google Authenticator comes with some important vulnerabilities: Attackers can create convincing fake login pages that steal usernames, passwords, and one-time codes, allowing hackers to access an account remotely. Phishing attacks: Deceptive tactics could persuade users to share their one-time codes or download malware that exposes it. Social engineering: Many users have cloud-based backups that save their authenticator keys. By compromising a cloud storage account, hackers could access this authenticator data. Cloud backup vulnerability: Google Authentator requires users to download an additional app and enter a security key. Then, each time they log into the app, they need to transfer a temporary passcode from the app to the website, adding a considerable amount of hassle and friction to the login process. User Friction: Delivery of the authentication key code to the user is a point of vulnerability. If hackers intercept this code or obtain it somehow, the entire Google Authentication process is compromised and remote hackers can access the account from anywhere.. Authenticator key interception: Despite these vulnerabilities, Google Authenticator and other authenticator apps significantly improve website login security compared to passwords alone. An authenticator system like this could have stopped the 23andMe credential-stuffing hack in its tracks. What About Tying Access Control to the Login Device Itself, the Way Invysta Does? There’s another solution that may have worked to prevent the 23andMe hack. This is a software-based technology from which could have instantly transformed the login devices of 23andMe users into physical security keys, offering the same level of security as a physical security key (without needing the actual key). , Invysta Technology Group Invysta works by detecting the unique hardware and software identifiers found in each user login device and using those identifiers to spin up an impossible-to-replicate “Anonymous Access Key.” By transforming the smartphones or laptops of 23andMe users into physical security keys, Invysta empowers websites with millions of users to highest-level access security without the need to buy or distribute an additional piece of hardware—making it impossible for remote hackers to conduct a credential stuffing attack. Of course, Invysta is still a relatively unknown technology, and most website owners aren’t aware that it exists. In time, however, this solution could build a reputation as a powerful yet cost-effective strategy in the access control space. Final Thoughts This article looked at various login-access control solutions that could have helped 23andMe prevent the attack on its customers. But just because some of these solutions work today, it doesn’t mean they’ll continue to work in the future. As we share more details about ourselves and our families online—including our DNA and ethnicity data on services like 23andMe—the continually evolving domain of digital security is more important than ever. Indeed, this isn’t just about securing our financial lives anymore. It’s about keeping our families safe from hate crimes, intimate privacy breaches, and other terrifying vulnerabilities. As these dangers continue to increase and change in the years ahead, expect more cybersecurity solutions to appear on the market. By implementing these new technologies early, organizations may be able to avoid the financial, reputational, and physical safety damages that 23andMe has recently endured.

The is an opinion piece based on the author’s POV and does not necessarily reflect the views of HackerNoon.

Walkthroughs, tutorials, guides, and tips. This story will teach you how to do something new or how to do something better.

This story will praise and/or roast a product, company, service, game, or anything else people like to review on the Internet.

Hot off the press! This story contains factual information about a recent event.

Why Is the AI Surge Boosting HDD Stocks? Finis Conner Says: Drives Are to AI as Batteries Are to EVs

Could a Hard Drive Supply Chain Crisis Push AI and Digital Ads to the Breaking Point?

Too Long; Didn't Read

Download free Tech Leaders Productivity Report!

What Could Have Stopped the 23andMe Hack?

About Author

Comments

TOPICS

THIS ARTICLE WAS FEATURED IN

Related Stories

Untitled Story

99.9% of Content Will Be AI-Generated by 2025: Does Anyone Care?

The Hackx0rs Were Active

What Happens When Hackers Get Your DNA Data? Ask 23andMe

6 Chatbot Security Measures to Implement

Access Control Systems Help Companies Comply With Regulations: Here's How

99.9% of Content Will Be AI-Generated by 2025: Does Anyone Care?

The Hackx0rs Were Active

What Happens When Hackers Get Your DNA Data? Ask 23andMe

6 Chatbot Security Measures to Implement

Access Control Systems Help Companies Comply With Regulations: Here's How

Light-Mode

Classic

Newspaper

Dark-Mode

Neon Noir

Minty

HN StartUps