23andMe has claimed that attackers used a technique called credential stuffing to compromise its 14,000 user accounts, finding cases where leaked credentials were reused by other services on 23andMe. After the incident, the company forced all users to reset their passwords and began requiring two-factor authentication for all customers. In the weeks following 23andMe’s initial disclosure of the breach, other similar services were offered. including Ancestry and MyHeritage, have also begun promoting or requiring two-factor authentication for their accounts.
However, in October and again this week, WIRED pressed 23andMe to conclude that the compromise of users’ accounts was due solely to credential stuffing attacks. The company repeatedly declined to comment, but several users said they were confident their 23andMe account usernames and passwords were unique and could not have been exposed elsewhere in another leak.
However, in at least one example, 23andMe eventually provided the user with an explanation. On Tuesday, Rob Joyce, director of cybersecurity at the US National Security Agency, said written down on his personal could be deleted.” Joyce wrote that he creates a unique email address for each company he creates an account with. “This account is not used ANYWHERE else and it has been stuffed to no avail,” he wrote, adding, “Personal opinion: @23andMe hack was EVEN worse than they believe with new announcement.”
Hours after Joyce raised these concerns publicly (and asked WIRED 23andMe about his case), Joyce said the company contacted him to find out what happened to his account. Although Joyce used a unique email address for his 23andMe account, the company partnered with MyHeritage in 2014 and 2015 to improve DNA Relatives’ “family tree” functionality, which Joyce said he later used. Then, in 2018, MyHeritage suffered a separate data breach that apparently exposed Joyce’s unique 23andMe email address. He adds that due to the use of strong, unique passwords on both his MyHeritage and 23andMe accounts, neither has ever been successfully compromised by attackers.
The anecdote underscores the importance of sharing user data between companies and software features that promote social sharing when the information in question is deeply personal and directly related to identity. It may be that the larger numbers of affected users were not included in the SEC report because 23andMe (like many companies that have suffered security breaches) does not want to include scraped data in the breached category. However, these boundaries ultimately make it difficult for users to understand the scope and impact of security incidents.
“I strongly believe that cyberinsecurity is fundamentally a political problem,” said Brett Callow, a threat analyst at security firm Emsisoft. “We need standardized and consistent disclosure and reporting laws, prescribed language for these disclosures and reports, and regulation and licensing of negotiators.” Far too much happens in secret or is obscured by moronic words. It is counterproductive and only helps cybercriminals.”
Meanwhile, apparently 23andMe user Kendra Fee marked On Tuesday, 23andMe will inform customers about changes to its terms of service related to dispute resolution and arbitration. The company says the changes will “promote rapid resolution of any disputes” and “streamline arbitration procedures when multiple similar claims are filed.” Users may opt out of the new Terms by notifying the Company of their opt-out within 30 days of receiving notice of the change.
Updated December 5, 2023 at 10:35 p.m. ET to include new information about NSA cybersecurity director Rob Joyce’s 23andMe account and the broader implications of his experience.