23andMe...andAttacker | 7 Million Users Data At Risk

Record Breaking DDoS Attacks, 23andMe Data Breach, and Google Passkeys

Hey there,

Welcome to the first-ever Weekend Byte. I don’t know where this newsletter will go, but my goal remains - to help you learn the pragmatic side of cyber security.

To kick this off, here’s your preview:

  • The largest DDoS attack ever recorded? How Big? Really Big.

  • Who was at fault for the 23andMe “data breach.”

  • Google dropped the mic with a recent move.

-Jason

Record-Breaking DDoS Attacks

Tech giants Google, Amazon AWS, and Cloudflare have spent the last few months beating back a surge of record-breaking Distributed Denial of Service (DDoS) attacks. If you want to learn more about how DDoS attacks occur, check out my video here.

Just how big were they?

Season 10 Finale GIF by Curb Your Enthusiasm

Gif by curbyourenthusiasm on Giphy

Google reported the DDoS attack was 7.5 times larger than last year’s previous record. For context, this attack generated more traffic in just two minutes than all articles viewed on Wikipedia in September.

Even more worrisome is that attackers achieved the record with only 20,000 compromised systems. The feat was possible due to a new vulnerability known as HTTP/2 ‘Rapid Reset’.

Not to worry, though. You barely noticed an issue because the tech giants caught it quickly and put mitigating measures in place while the underlying vulnerability was remediated.

Additional reading:

Hack Overview - 23andMe…andAttacker

On October 3, 2023, a threat actor dropped a note in a popular hacking forum advertising data for 7 million 23andMe users.

Recorded Future - screenshot of an advertisement on BreachForums

On October 6, 2023, 23andMe posted a blog post about the incident, which gave additional details on what happened.

What’s interesting is that 23andMe didn’t experience a security incident. Poor security practices of their users and an opt-in feature had this go from bad to so much worse.

Initial Compromise

Attackers used a credential stuffing attack to access a subset of user accounts. Credential stuffing takes previously compromised credentials and uses those to attempt to log into other websites. It relies on users making the pivotal mistake of reusing passwords across multiple websites.

You can watch a full deep-dive video on credential-stuffing attacks here.

From Bad to Worse

Having an attacker gain access to your account is bad enough. And under normal circumstances, it would only impact a single account. But that’s not where this story ends.

A popular feature of 23andMe is DNA Relatives. This feature allows you to find and connect with genetic relatives who are also 23andMe users.

While this feature is opt-in, you can imagine that many users enable this out of curiosity. Fortunately for the attacker, this provides access to more information from other users.

Impacted Data

The DNA Relatives feature impacted 1 million Ashkenazi Jews and hundreds of thousands of Chinese people. It was a chained issue of users opting into the service to find their relatives. Unfortunately, this allowed the attacker to see information on them as well.

The impacted data included:

  • Profile and account ID numbers

  • Names

  • Gender

  • Birth year

  • Maternal and paternal genetic markers

  • Ancestral heritage results

  • Data on whether or not each user has opted into 23andme’s health data

Remediation

In credential stuffing attacks, the impact is on individual user accounts. For the organization hosting the application, there isn’t a security incident in their systems. This is the equivalent of saying an apartment complex was robbed when in reality, one tenant who lived on the first floor left their window open and was burglarized.

Out of an abundance of caution, 23andMe required all of their users to reset their passwords and encouraged users to implement MFA.

Oh…and Lawsuits

Naturally, at least four class action complaints have already been filed in California citing issues. This questions how responsible SaaS vendors are in credential stuffing attacks, in which poor password practices of specific users are the root security issue.

Could this lead to SaaS companies enforcing stronger password requirements (which won’t completely address credential stuffing) or mandating MFA on accounts (which will address credential stuffing but could be considered cumbersome for users)?

Frivolous lawsuits aside, this could help push SaaS companies to move to a more “secure by default” approach, something you’ll see in the next section with Google’s latest update.

Takeaway

Don’t let any security incident go unwanted for a lesson. Every user needs to take security into their own hands to protect themselves. The two key actions from this security incident are:

  • Use unique passwords for every single online account. Password managers are your best bet here.

  • Enable MFA for any online account that supports it. This will stop credentials-stuffing attacks.

Additional Reading

Google is Helping You Not Get Scroogled

I talk about passkeys at least four times a week. What can I say? I love them. It’s rare to find a solution that makes things easier for you AND makes you more secure. That combination is in passkey’s DNA.

Google took a big step forward, making passkeys the default setting to secure your Google account. Passkeys = passwordless. After enabling the feature, you won’t need to enter a password anymore. Just a quick fingerprint check, and you’re in.

I did an entire video on setting up passkeys for Google and all the considerations you need to take. Check it out here: Google Passkeys Tutorial | Step by Step Guide to Set Up Google Passkeys

Great News Lol GIF by NBC

Gif by nbc on Giphy

Feedback, questions, or topics for future newsletters? Reply to this email directly and let me know.

If you found this valuable, share it with a friend!

If you’re not subscribed, be sure to sign up for weekly cyber security insights.

See you next week!

Reply

or to participate.