CREDENTIAL STUFFING ATTACKS - Hacker leaks millions of genetic data profiles
A hacker has leaked an additional 4.1 million stolen 23andMe genetic data profiles for people in Great Britain and Germany on a hacking forum. Earlier this month, a threat actor leaked the stolen data of 1 million Ashkenazi Jews who used 23andMe services to find their ancestry info and genetic predispositions.
23andMe told BleepingComputer that this data was obtained through credential stuffing attacks on accounts using weak passwords or credentials exposed in other data breaches. However, the company says there is no evidence of a security incident on their IT systems.
The company says that only a limited number of accounts were breached, but they opted into the 'DNA Relatives' feature, allowing the threat actor to scrape millions of individual's data.
Olabanji Soledayo, the ESET Nigeria and Ghana cybersecurity evangelist commented that “Users' account IDs, full names, sex, date of birth, DNA profiles, location, and region details. The amount of sensitive data stolen is exactly the type of information cybercriminals are after, and users can expect this data will be sold on the dark web. Unfortunately, DNA cannot be replaced the way social media accounts or passwords can. And there is little customers can do about the very sensitive data, which is now stolen.
Once again this shows that the old-fashioned basic passwords once did a good job of fending off the most basic of attacks. However, this security of yesteryear clearly doesn’t stand up to the types of attacks we see today. Multi-factor authentication or even better - token or key-based authentication - are the measures to look for. A robust endpoint and detection response solution is required, and password saving should be disabled in web browsers.
However, this incident shows, that weakly secured accounts put at risk even those, who thought of protecting their sensitive data and used 2FA and strong passwords.
Therefore it’s also up to the companies handling sensitive medical data to implement adequate security measures, that would help prevent attackers from accessing large bodies of data, and monitor their network for abnormalities to stop the intrusion at an earlier stage.”
For more than 30 years, ESET® has been developing industry-leading IT security software and services to protect businesses, critical infrastructure, and consumers worldwide from increasingly sophisticated digital threats. From endpoint and mobile security to endpoint detection and response, as well as encryption and multifactor authentication, ESET's high-performing, easy-to-use solutions unobtrusively protect and monitor 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company that enables the safe use of technology. This is backed by ESET's R&D centers worldwide, working in support of our shared future. For more information, visit www.eset.com or follow us on LinkedIn, Facebook, Instagram and Twitter.