With the news of the 23andMe breach, impacting close to half of its 14 million users, the issue of data security has earned another trip to the limelight.

This breach serves to remind us of the importance of fundamental security best practices, and the necessity for companies to regulate and enforce them.

How It Happened

People are the most valuable asset in any company. Without your Users, Clients, Staff, and everyone else involved, there is no company. But people also are any company’s biggest risk. The breach occurred with the exploitation of password vulnerabilities.

The Attackers used password reuse and credential stuffing techniques to gain unauthorized access and retrieve personal data from the accounts they accessed. It’s like someone finding an old key to your house and then taking your most private and valuable things.

  • Old Passwords: The attackers used old passwords to get into the user’s accounts. People often use the same password for many things, and if one gets stolen or leaked somewhere else, they can try it on other sites, like 23andMe.
  • Brute-Force Method: Imagine trying every key on a big keyring to open a lock. The hackers may have used automated tools to try many passwords very quickly to find the right one. A brute force attack uses a set range of possible character combinations and will try them sequentially (A, AA, AAA, AAAA…). A dictionary attack uses lists of predefined password combinations, typically deriving from common and breached password lists.
  • Accessing Accounts: Once they got in using these old, weak or reused passwords, they could access the accounts. With this, they were able to access sensitive personal data – information such as ancestry, health risks, and other personal data.

How can we make sure it doesn’t happen?

I have little interest in casting blame, some parties will say it is the user’s fault for poor password choices, and others will say it’s the platform’s fault for not providing better protections.

Security is everyone’s responsibility, we all have our part to play in ensuring the safety our accounts and data.

Platform

The platform needs to ensure that best practices are being enforced, guiding users to make the best decisions possible and preventing them from poor ones.

It also has a responsibility to implement technical controls that detect and prevent attacks of this nature. So what can we implement from a platform perspective?

  • Rate-Limits – Rate Limits limit the amount and frequency of requests. Given that it takes a typical user 5-10 seconds to log in, the API shouldn’t tolerate 10 password attempts a second from a single origin, as this is faster than any human user could log in.
  • Password Policy – A password policy mandates the standard all user’s passwords must adhere to. This includes complexity (Capital letters, Numbers and Special characters), Minimum Password Lengths, reuse and Rotation requirements (How often the password should be changed).
  • Anomaly Detection – If a user typically logs in from the UK, it should be questioned why they are now logging in from China. Maybe the user is on holiday, but then again, maybe not. Extra verification steps should be implemented when abnormal behaviour is detected on your platform, allowing the user to confirm the legitimacy of an atypical request. There are also scenarios where we should be blocking behaviour by default, for example, if you see a request at 4 PM in the UK and 5 PM in China, it is likely malicious.
  • Multi-Factor Authentication – Platforms should encourage all users to implement Multi-Factor authentication, this offers users additional layers of protection even if their password is compromised. More and more, Companies are mandating MFA as a hard requirement and shifting away from single authentication models, some opting for scrapping passwords altogether – https://totalsecurityadvisor.blr.com/cybersecurity/apple-google-and-microsoft-partner-to-scrap-passwords/
User

We as users can’t rely solely on the security controls enforced by the platform, we need to ensure we are securing our accounts the best we can and leveraging the security features that platforms offer.

Weak passwords, Password reuse and lack of leveraging available MFA options are still the leading causes of account compromise.

  • Password Manager – Many users struggle with remembering and recording passwords, to avoid having to keep track they use the same password for many different services. A password manager takes a lot of the legwork out of this process, allowing users to generate passwords on the fly, saving them to the password store and auto-filling the account details when logging in. Any password you can remember is likely a weak password, even if that’s a weak password accompanied with some strengthening attributes (e.g Bumblebee83$), let your password manager handle the record keeping.
  • Multi-Factor Authentication – As previously mentioned, many platforms are mandating the use of MFA, but there are still plenty of services that aren’t. Most platforms support the use of MFA but you need to go digging about in the user settings to find it, we must be leveraging the security options available even if the site doesn’t force you to use them. If a site doesn’t support MFA/2FA options, you should think twice before using it.
  • Breach DetectionHaveIBeenPwned allows users to check their emails and passwords against a database of known compromised account details. 1Password integrates this service as part of the tool, checking stored passwords for compromise and notifying you whenever saved passwords get breached.
  • Complex Passwords – There are hundreds of articles out there about what makes a strong password, but it’s important to note that no password is strong enough alone. Breaches happen all the time, which is why it is so important that we use unique passwords for each service. Passwords can also be phished and captured by various other means, which is why no matter how complex the password, MFA is essential for creating a layered defence.

Let’s not let the 23andMe breach be just another statistic in the growing list of data breaches. Let it be a clarion call for immediate and concerted action for companies and users alike, to take better care of their digital hygiene and ensure we are all doing our part to ensure we are securing our accounts and our systems.