The 23andMe Data Breach Keeps Spiraling

23andMe has maintained that attackers used a technique known as credential stuffing to compromise the 14,000 user accounts—finding instances where leaked login credentials from other services were reused on 23andMe. In the wake of the incident, the company forced all of its users to reset their passwords and began requiring two-factor authentication for all customers. In the weeks after 23andMe initially disclosed its breach, other similar services. including Ancestry and MyHeritage, also began promoting or requiring two-factor authentication on their accounts.

In October and again this week, though, WIRED pressed 23andMe on its finding that the user account compromises were attributable solely to credential-stuffing attacks. The company has repeatedly declined to comment, but multiple users have noted that they are certain their 23andMe account usernames and passwords were unique and could not have been exposed somewhere else in another leak.

In at least one example, though, 23andMe eventually provided an explanation to the user. On Tuesday, US National Security Agency cybersecurity director Rob Joyce noted on his personal X (formerly Twitter) account: “They disclose the credential stuffing attacks, but they don’t say how the accounts were targeted for stuffing. This was unique and not an account that could be scraped from the web or other sites.” Joyce wrote that he creates a unique email address for each company he uses to make an account. “That account is used NOWHERE else and it was unsuccessfully stuffed,” he wrote, adding: “Personal opinion: @23andMe hack was STILL worse than they are owning with the new announcement.”

Hours after Joyce publicly raised these concerns (and WIRED asked 23andMe about his case), Joyce said that the company had contacted him to determine what had happened with his account. Joyce did use a unique email address for his 23andMe account, but the company partnered with MyHeritage in 2014 and 2015 to enhance the DNA Relatives “Family Tree” functionality, which Joyce says he subsequently used. Then, separately, MyHeritage suffered a data breach in 2018 in which Joyce’s unique 23andMe email address was apparently exposed. He adds that because of using strong, unique passwords on both his MyHeritage and 23andMe accounts, neither was ever successfully compromised by attackers.

The anecdote underscores the stakes of user data sharing between companies and software features that promote social sharing when the information involved is deeply personal and relates directly to identity. It may be that the larger numbers of impacted users were not in the SEC report because 23andMe (like many companies that have suffered security breaches) does not want to include scraped data in the category of breached data. These delineations, though, ultimately make it difficult for users to grasp the scale and impact of security incidents.

“I firmly believe that cyber-insecurity is fundamentally a policy problem,” says Brett Callow, a threat analyst at the security firm Emsisoft. “We need standardized and uniform disclosure and reporting laws, prescribed language for those disclosures and reports, regulation and licensing of negotiators. Far too much happens in the shadows or is obfuscated by weasel words. It’s counterproductive and helps only the cybercriminals.”

Meanwhile, apparent 23andMe user Kendra Fee flagged on Tuesday that 23andMe is notifying customers about changes to its terms of service related to dispute resolutions and arbitration. The company says that the changes will “encourage a prompt resolution of any disputes” and “streamline arbitration proceedings where multiple similar claims are filed.” Users can opt out of the new terms by notifying the company that they decline within 30 days of receiving notice of the change.

Updated at 10:35 pm ET, December 5, 2023, to include new information about NSA cybersecurity director Rob Joyce’s 23andMe account and the broader implications of his experience.