23andMe Data Leak

Overview

In October 2023, 23andMe, a leading genetic testing company, suffered a data breach affecting approximately 6.9 million users. The breach involved credential stuffing attacks that compromised personal and genetic data. The company implemented mandatory two-factor authentication following the attack, but legal action was taken due to concerns over data security and privacy practices.

Vulnerability Details

Hackers used credential stuffing to gain unauthorized access to 23andMe accounts, exposing user display names, sex, birth year, geographic location, and ethnicity estimates. The stolen data was initially leaked on BreachForums. Following the breach, a lawsuit was filed against the company for negligence and invasion of privacy. To enhance security, 23andMe mandated two-factor authentication for all users starting in December 2023. The breach underscored the importance of unique passwords and proactive cybersecurity measures.

Lab Terminal

In this terminal activity, we'll investigate how weak authentication practices and poor web configuration can expose sensitive user data, just as they did in the 2023 23andMe credential-stuffing breach. By interacting with a simulated web server, you will check its response headers, identify outdated backend software, test weak or reused login credentials, and scan for exposed endpoints. These hands-on steps mirror the attack path used in the 23andMe incident, where attackers logged into accounts using credentials previously leaked from unrelated breaches. Through this activity, you will see how vulnerable servers, reused passwords, and missing security controls create openings for large-scale data exposure, underscoring the importance of strong password hygiene and modern authentication protections like two-factor authentication.

Instructions:

  • Use the help command to see all available commands.
  • Verify the web server is running by sending a HEAD request to http://192.168.1.58:8080.
  • Identify server information by searching the webpage content for the term 'server': curl -i http://192.168.1.58:8080 | grep -i 'server'.
  • Attempt a login using a weak credential pair to simulate credential stuffing:
    • curl -X POST -d 'username=admin&password=123456' http://192.168.1.58:8080/login
    • curl -X POST -d 'username=john.doe&password=spring2020' http://192.168.1.58:8080/login.
  • View the response headers to determine whether backend technologies are exposed: curl -I http://192.168.1.58:8080 | grep -E 'Server|X-Powered-By'.
  • Scan the server for exposed directories using a wordlist: gobuster dir -u http://192.168.1.58:8080 -w /usr/share/wordlists/dirb/common.txt.

Resources

Relevant articles and reports on the 23andMe data breach.

Review Questions

What is the primary service provided by 23andMe?
Approximately how many users were affected by the 23andMe data leak reported in October 2023?
What type of personal information was compromised in the 23andMe data breach?
Which forum was used to initially leak the compromised data from 23andMe?
What legal action was taken in response to the 23andMe data breach in October 2023?
What security measure did 23andMe require starting in December 2023 to improve account security?
Which attack method was used to compromise user accounts in the 23andMe hack?
Who was attributed as the attacker in the 23andMe data breach?
What lesson was emphasized regarding user account security after the 23andMe hack?
What is a potential risk of opting into additional features on platforms like 23andMe, as highlighted in the presentation?