Behind the 23andMe data breach: Risks, response, and cybersecurity measures.
In a disclosure last week, genetic testing company 23andMe announced that the private information of nearly 7 million users had been compromised. Exploiting old passwords used by 23andMe users on other accounts, hackers gained access to usernames, addresses, ancestry trees, and birth years.
The initial breach affected 14,000 profiles, whose full suite of information was stolen. But 5.5 million more users, who opted into a feature called DNA Relatives that connects them with potential DNA matches, had their display names, predicted relationships, and uploaded photos compromised. Another 1.4 million users had their family trees, relationship labels, and geographic locations leaked.
As required by data privacy laws, representatives from 23andMe said the company was in the process of notifying all affected users. Many complained about the delay in action, however. Hackers first posted claims about the leaked data on the dark web back in October, while some reporters noted that the total number of affected users could be much higher. Still, a 23andMe spokeswoman said in a press release, “We have not learned of any reports of inappropriate use of the data after the leak.”
Why did this breach happen?
Security experts say that the kind of intimate, personal information provided to a platform like 23andMe could become a bigger and bigger target for cybercriminals. That’s especially true since the app offers so many ways to connect to other users—hence the fact that an initial breach of just 14,000 users granted hackers a backdoor to nearly 7 million more profiles.
Testing old passwords stolen in previous breaches is an increasingly common tactic for hackers, too. Since so many users recycle passwords across platforms, any time a compromised credential is sold on the dark web, cybercriminals will immediately try it on as many apps as possible. Accordingly, 23andMe immediately started requiring that customers update existing passwords and implement a two-step verification process.
What can other users do to protect their information?
Whether you use 23andMe or not, the above action is the most critical—update any passwords that are more than a few years old and activate multi-factor authentication (MFA) for all email accounts, social media apps, and financial platforms.
Beyond that, CMIT Solutions recommends the following tips to strengthen login credentials, secure important data, and protect digital identities:
• Never share passwords. We’ve covered the need to not reuse passwords—but make sure you don’t share them either. Sharing passwords with your spouse, your children, or your colleagues is also a bad idea—as is writing them down on sticky notes or typing them in spreadsheets. And if you have to share a password, change it immediately afterward to prevent fraudulent use.
• Create a long, memorable passphrase. When creating a password, remember that longer is stronger. Every additional character you add to your password makes it more difficult for hackers to crack. Instead of adding random numbers and symbols that can be hard to remember, use a passphrase: unrelated words and numbers that are easy for you to remember but harder to guess. The key is to make the passphrase something you can easily remember so you will not be tempted to write it down.
• In addition to MFA, consider using single sign-on (SSO) apps. MFA requires a user to combine something they know (a password) with something they have (a unique code delivered via text or email). The biggest benefit of MFA is that it mitigates the threat that stolen passwords pose to individual users and companies. Once MFA is in place, businesses can add another layer of protection with SSO. This streamlined login process uses a centralized app that delivers push notifications to every employee before they access every business application. It might sound complicated at first, but the value lies in the way it relieves users from having to remember scores of different passwords for different websites or apps.
• Give your employees cybersecurity awareness training. Strong passwords, MFA, and SSO can’t mitigate every problem. The human beings who work for your company and use your devices are critical to enhancing security best practices. Education and awareness can promote password hygiene, simulate phishing scenarios, and enhance email security. Often, breaches like the one announced by 23andMe will lead to related social engineering scams, with hackers leveraging the news to send illicit emails or attempt to exploit users’ ongoing vulnerabilities.
As password-related scams grow in scope, size, and severity, your company and your employees must be ready to respond. If you think login hacks or digital threats will never happen to you, think again. At CMIT Solutions, we consider it a matter of when—not if—a breach will occur. We have more than 25 years of experience extending cybersecurity protection to thousands of businesses around North America. We monitor client systems 24/7, identifying, blocking, and resolving problems before they affect day-to-day productivity, efficiency, and security.
What sets us apart from other IT providers is that we take a proactive approach to password security issues, addressing them BEFORE problems occur—not AFTER something bad has already happened. Our IT technicians scan for new password threats every day, adding extra layers of security when needed and deploying threat reduction measures to keep businesses in every industry safe.
If you need help with password protection or are worried about a breach affecting your company, contact CMIT Solutions today. We worry about digital security so you don’t have to, empowering you to focus on what you do best.