23andMe Data Leak

Target Audience

Undergraduate
Graduate

Keywords

data breach
data scraping
genetic data privacy
credential stuffing

Introduction

Overview

In October 2023, 23andMe, a leading genetic testing company, suffered a data breach affecting approximately 6.9 million users. The breach involved credential stuffing attacks that compromised personal and genetic data. The company implemented mandatory two-factor authentication following the attack, but legal action was taken due to concerns over data security and privacy practices.

Vulnerability Details

Hackers used credential stuffing to gain unauthorized access to 23andMe accounts, exposing user display names, sex, birth year, geographic location, and ethnicity estimates. The stolen data was initially leaked on BreachForums. Following the breach, a lawsuit was filed against the company for negligence and invasion of privacy. To enhance security, 23andMe mandated two-factor authentication for all users starting in December 2023. The breach underscored the importance of unique passwords and proactive cybersecurity measures.

Learning Objectives

Understand the impact of the 23andMe data breach on user privacy
Analyze the attack methods used and security vulnerabilities exploited
Evaluate key lessons learned regarding account security and data protection

Download

Includes a PDF case study adapted from a real-world cyber breach
Guided questions for student engagement
Instructor materials including context and background
All content packaged in a downloadable ZIP file

Remote Terminal

Terminal Description

Answer the following questions to assess your understanding of the 23andMe data breach.

Read the case study details carefully.
Select the most appropriate answer for each multiple-choice question.
Review key lessons from the breach and understand best security practices.

Relevant articles and reports on the 23andMe data breach.

Module Questions

What is the primary service provided by 23andMe?Web hosting servicesGenetic testing and ancestry reportsCloud storage solutionsOnline retail marketplace

Approximately how many users were affected by the 23andMe data leak reported in October 2023?1 million2.5 million6.9 million14 million

What type of personal information was compromised in the 23andMe data breach?Social Security numbers and bank accountsDisplay names, sex, birth year, geographic location, and ethnicity estimatesCredit card information and passwordsDriver's license and passport details

Which forum was used to initially leak the compromised data from 23andMe?RedditBreachForumsHackerNewsDarkWebMarket

What legal action was taken in response to the 23andMe data breach in October 2023?The company was fined by the FTCA data breach lawsuit was filed for negligence and invasion of privacyThe company declared bankruptcyThe company was sold to a competitor

What security measure did 23andMe require starting in December 2023 to improve account security?Biometric authenticationPassword resets every monthTwo-factor authenticationIP address restrictions

Which attack method was used to compromise user accounts in the 23andMe hack?SQL injectionPhishing emailsCredential stuffingDDoS attack

Who was attributed as the attacker in the 23andMe data breach?Anonymous groupGolemShadowHawkNightCrawler

What lesson was emphasized regarding user account security after the 23andMe hack?Always enable dark mode on websitesUse the same password for simplicityAvoid reusing the same username/password across websitesNever use two-factor authentication

What is a potential risk of opting into additional features on platforms like 23andMe, as highlighted in the presentation?Increased service costsSharing additional personal data even if the account is secureSlower service response timesReduced customer support availability