Why hindsight analysis?
The goal of this hindsight analysis is help people involved in cybersecurity risk management reflect on their organization’s security posture and hopefully learn from the challenges others have gone through. Intended audience includes board directors, executive management and security practitioners.
While reading 23andMe’s 8-KA updated on their October 1, 2023 cybersecurity incident, I thought it might be helpful to do a quick analysis of the attack and presumed missing security mitigations leveraging the MITRE ATT&CK framework.
This analysis is very easy; running the cybersecurity function is very, very hard. I have the utmost respect for security teams and leaders and their incredibly difficult job. Also, nothing in security is really binary nor do we have any insights into the actual controls implemented.
So this exercise is simply an effort to pause and think about how the attack, with clear hindsight, might have been partially or fully mitigated.
Attack Techniques
Per 23andMe’s 8-K, the attack was a “credential stuffing” attack where an attacker tries previously leaked user passwords from other hacked websites to gain access to 23andMe account.
Missing Detections
User Account Authentication
User Account Authentication - Monitor for many failed authentication attempts across various accounts that may result from credential stuffing attempts.
Missing Mitigations
Multi-factor authentication
Multi-factor Authentication - Use multi-factor authentication. Where possible, also enable multi-factor authentication on externally facing services.
Post incident remediation: On November 6, 2023, 23andMe started requiring all new and existing users to login into the 23andMe website using two-step verification going forward.
User Account Management
User Account Management - Proactively reset accounts that are known to be part of breached credentials either immediately, or after detecting bruteforce attempts.
Post incident remediation: October 10, 2023, required all users to reset their passwords
8K/A Summary
23andMe provided additional details on their Oct 1, 2023 cybersecurity incident. Approximately 14,000 user account were directly impacted however I expect that number will rise as the attacker “also accessed a significant number of files containing profile information about other users’ ancestry” through their DNA Relatives feature.
23andMe believes that the threat actor activity is contained and the investigation into these matters is complete however they may uncover new data that changes that in the future.
Costs are in the $1mm-$2mm range of one time expenses during the quarter ending December 31, 2023 and “the company believes that such expenses and the direct or indirect business impacts of the incident could negatively affect its financial results.” They have not determined if the impacts will be material for the fiscal year ending March 31, 2024 however multiple class action claims have been filed against 23andMe in federal and state court in California and state court in Illinois, as well as in British Columbia and Ontario, Canada, which the Company is defending. They are also assessing response to notices filed by consumers under the California Consumer Privacy Act and to inquiries from various governmental officials and agencies
8-K/A Notes
- incident date: October 1, 2023
- incident reported: October 10, 2023
- impacted data
- user profile information
- access a very small percentage (0.1%) of user accounts (~14m accounts so ~14,000 users)
- generally included ancestry information
- for a subset of those accounts, health-related information based upon the user’s genetics.
- also accessed a significant number of files containing profile information about other users’ ancestry that such users chose to share when opting in to 23andMe’s DNA Relatives feature
- remediation steps
- immediately commenced an investigation
- engaged third-party incident response experts
- October 10, 2023, required all users to reset their passwords
- November 6, 2023, required all new and existing users to login into the 23andMe website using two-step verification going forward.
- providing notification to users impacted by the incident as required by applicable law.
- working to remove this information from the public domain.
- costs
- $1mm-$2mm in one time expenses during its fiscal third quarter ending December 31, 2023
- technology consulting services
- legal fees
- other third-party advisors
- $1mm-$2mm in one time expenses during its fiscal third quarter ending December 31, 2023
- Affect Financial results: yes
- The Company believes that such expenses and the direct or indirect business impacts of the incident could negatively affect its financial results.
- Material - as of 12/1, unknown:
- Company is not able to predict whether such direct or indirect impacts of the incident could have a material effect on its financial condition and/or results of operations for the fiscal year ending March 31, 2024
- multiple class action claims have been filed against the Company in federal and state court in California and state court in Illinois, as well as in British Columbia and Ontario, Canada, which the Company is defending.
- also assessing its response to notices filed by consumers under the California Consumer Privacy Act and to inquiries from various governmental officials and agencies
- Company is not able to predict whether such direct or indirect impacts of the incident could have a material effect on its financial condition and/or results of operations for the fiscal year ending March 31, 2024
- Insurance
- availability of insurance to offset some of these costs, cannot be estimated at this time.
- TTPs/MITRE ATT&CK
- credential stuffing
- type of brute force
- Credential stuffing is a risky option because it could cause numerous authentication failures and account lockouts, depending on the organization’s login failure policies.
- credential stuffing
- Controls (Security Controls)
- Detection
- User Account Authentication - Monitor for many failed authentication attempts across various accounts that may result from credential stuffing attempts.
- Application Log Content
- Mitigation
- Multi-factor Authentication - Use multi-factor authentication. Where possible, also enable multi-factor authentication on externally facing services.
- Account Use Policies -
- Password Policies
- User Account Management - Proactively reset accounts that are known to be part of breached credentials either immediately, or after detecting bruteforce attempts.
- Detection
- Current status: believes that the threat actor activity is contained.
- Company believes the investigation into these matters is complete
Page last updated on December 6, 2023