Another One Bites the Dust: 23andMe Bankruptcy a Stark Reminder of Credential Stuffing's Cost

A few months ago, we wrote "YOU HAVE BEEN BREACHED: Consumer Credential Stuffing," and now the recent news of 23andMe filing for bankruptcy resonates deeply.

While reports highlight various financial struggles for the genetic testing company, it's crucial to understand that the seeds of this downfall were significantly sown by the massive 2023 data breach that began with credential stuffing attacks.

What's Credential Stuffing Anyway?

For those unfamiliar, credential stuffing is a cyberattack where malicious actors use lists of usernames and passwords, often obtained from previous breaches on other platforms, to try and gain unauthorized access to user accounts on different services.

As we at myNetWatchman have emphasized, the 23andMe breach was a prime example of this. Attackers leveraged credentials compromised elsewhere that consumers unfortunately reused on their 23andMe accounts. This led to the exposure of sensitive genetic and ancestry data of over 6.9 million customers.

The Domino Effect

The fallout from this breach was swift and significant. A class action lawsuit was filed against 23andMe alleging failure to protect customer privacy and inadequate notification, particularly to those with Chinese or Ashkenazi Jewish heritage who appeared to be specifically targeted. Ultimately, 23andMe agreed to a $30 million settlement. While the company anticipates that cyber insurance will cover approximately $25 million of this, the remaining $5 million, coupled with substantial related legal expenses, still represents a considerable financial burden.

Why Is This So Important?

From our perspective at myNetWatchman, the 23andMe situation underscores a critical point: organizations bear a responsibility to protect their users from the foreseeable risks of credential stuffing attacks.

While it's true that password reuse by consumers contributes to the problem, relying on this as a defense – essentially throwing up their hands and saying "there's nothing we can do" – is no longer acceptable, especially when dealing with highly sensitive data like genetic information.

The $30 million settlement should serve as a stark warning that neglecting to implement preventative measures can lead to significant financial and reputational damage.

Interestingly, as part of the settlement, 23andMe agreed to mandate Multi-Factor Authentication (MFA) going forward. While MFA is a valuable tool, relying solely on user adoption can be challenging.

As we discuss in our "YOU HAVE BEEN BREACHED" article, organizations need to consider more passive ways to protect against credential stuffing.

There's a Better Way

The good news is, it doesn't have to end this way. myNetWatchman provides solutions that can help companies actively combat credential stuffing attacks. Our services offer unique data insights into compromised credentials. We detect when compromised credential pairs are presented at login, account creation, or password change events, allowing for proactive intervention and preventing account takeover.

Our repository of over 35 billion compromised credential pairs, updated daily with 15 million new additions, we empower organizations to stay ahead of these threats and protect their users, ultimately safeguarding their bottom line and reputation.

The 23andMe bankruptcy is a sobering event. It highlights the severe consequences of failing to adequately address the persistent threat of credential stuffing. We urge organizations to learn from this and take proactive steps to secure their users' accounts. Ignoring this risk is no longer a viable option.