Hindsight Analysis 23andMe - missing security mitigations

Why hindsight analysis?

The goal of this hindsight analysis is help people involved in cybersecurity risk management reflect on their organization’s security posture and hopefully learn from the challenges others have gone through. Intended audience includes board directors, executive management and security practitioners.

While reading 23andMe’s 8-KA updated on their October 1, 2023 cybersecurity incident, I thought it might be helpful to do a quick analysis of the attack and presumed missing security mitigations leveraging the MITRE ATT&CK framework.

This analysis is very easy; running the cybersecurity function is very, very hard. I have the utmost respect for security teams and leaders and their incredibly difficult job. Also, nothing in security is really binary nor do we have any insights into the actual controls implemented.

So this exercise is simply an effort to pause and think about how the attack, with clear hindsight, might have been partially or fully mitigated.

Attack Techniques

Per 23andMe’s 8-K, the attack was a “credential stuffing” attack where an attacker tries previously leaked user passwords from other hacked websites to gain access to 23andMe account.

Missing Detections

User Account Authentication

User Account Authentication - Monitor for many failed authentication attempts across various accounts that may result from credential stuffing attempts.

Missing Mitigations

Multi-factor authentication

Multi-factor Authentication - Use multi-factor authentication. Where possible, also enable multi-factor authentication on externally facing services.

Post incident remediation: On November 6, 2023, 23andMe started requiring all new and existing users to login into the 23andMe website using two-step verification going forward.

User Account Management

User Account Management - Proactively reset accounts that are known to be part of breached credentials either immediately, or after detecting bruteforce attempts.

Post incident remediation: October 10, 2023, required all users to reset their passwords

8K/A Summary

23andMe provided additional details on their Oct 1, 2023 cybersecurity incident. Approximately 14,000 user account were directly impacted however I expect that number will rise as the attacker “also accessed a significant number of files containing profile information about other users’ ancestry” through their DNA Relatives feature.

23andMe believes that the threat actor activity is contained and the investigation into these matters is complete however they may uncover new data that changes that in the future.

Costs are in the $1mm-$2mm range of one time expenses during the quarter ending December 31, 2023 and “the company believes that such expenses and the direct or indirect business impacts of the incident could negatively affect its financial results.” They have not determined if the impacts will be material for the fiscal year ending March 31, 2024 however multiple class action claims have been filed against 23andMe in federal and state court in California and state court in Illinois, as well as in British Columbia and Ontario, Canada, which the Company is defending. They are also assessing response to notices filed by consumers under the California Consumer Privacy Act and to inquiries from various governmental officials and agencies

8-K/A Notes

Page last updated on December 6, 2023