Saved in:
Bibliographic Details
Main Authors: Holthouse, Ryan, Owens, Serena, Bhunia, Suman
Format: Preprint
Published: 2025
Subjects:
Online Access:https://arxiv.org/abs/2502.04303
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866912222580572160
author Holthouse, Ryan
Owens, Serena
Bhunia, Suman
author_facet Holthouse, Ryan
Owens, Serena
Bhunia, Suman
contents In October 2023, 23andMe, a prominent provider of personal genetic testing, ancestry, and health information services, suffered a significant data breach orchestrated by a cybercriminal known as ``Golem.'' Initially, approximately 14,000 user accounts were compromised by a credential smear attack, exploiting reused usernames and passwords from previous data leaks. However, due to the interconnected nature of 23andMe's DNA Relatives and Family Tree features, the breach expanded exponentially, exposing sensitive personal and genetic data of approximately 5.5 million users and 1.4 million additional profiles. The attack highlights the increasing threat of credential stuffing, exacerbated by poor password hygiene and the absence of robust security measures such as multi-factor authentication (MFA) and rate limiting. In response, 23andMe mandated password resets, implemented email-based two-step verification, and advised users to update passwords across other services. This paper critically analyzes the attack methodology, its impact on users and the company, and explores potential mitigation strategies, including enhanced authentication protocols, proactive breach detection, and improved cybersecurity practices. The findings underscore the necessity of stronger user authentication measures and corporate responsibility in safeguarding sensitive genetic and personal data.
format Preprint
id arxiv_https___arxiv_org_abs_2502_04303
institution arXiv
publishDate 2025
record_format arxiv
spellingShingle The 23andMe Data Breach: Analyzing Credential Stuffing Attacks, Security Vulnerabilities, and Mitigation Strategies
Holthouse, Ryan
Owens, Serena
Bhunia, Suman
Cryptography and Security
In October 2023, 23andMe, a prominent provider of personal genetic testing, ancestry, and health information services, suffered a significant data breach orchestrated by a cybercriminal known as ``Golem.'' Initially, approximately 14,000 user accounts were compromised by a credential smear attack, exploiting reused usernames and passwords from previous data leaks. However, due to the interconnected nature of 23andMe's DNA Relatives and Family Tree features, the breach expanded exponentially, exposing sensitive personal and genetic data of approximately 5.5 million users and 1.4 million additional profiles. The attack highlights the increasing threat of credential stuffing, exacerbated by poor password hygiene and the absence of robust security measures such as multi-factor authentication (MFA) and rate limiting. In response, 23andMe mandated password resets, implemented email-based two-step verification, and advised users to update passwords across other services. This paper critically analyzes the attack methodology, its impact on users and the company, and explores potential mitigation strategies, including enhanced authentication protocols, proactive breach detection, and improved cybersecurity practices. The findings underscore the necessity of stronger user authentication measures and corporate responsibility in safeguarding sensitive genetic and personal data.
title The 23andMe Data Breach: Analyzing Credential Stuffing Attacks, Security Vulnerabilities, and Mitigation Strategies
topic Cryptography and Security
url https://arxiv.org/abs/2502.04303