Back to Intelligence

23andMe Credential Stuffing Breach: Genetic Data Exfiltration and Defense Strategies

SA
Security Arsenal Team
May 30, 2026
6 min read

Introduction

The California Attorney General’s lawsuit against 23andMe (now Chrome Holding Co.) serves as a stark warning about the fragility of biometric security. In October 2023, threat actors successfully accessed approximately 6.9 million user profiles—amounting to nearly half of the company's customer base—by exploiting weak authentication controls. This wasn't a sophisticated zero-day exploit; it was a classic credential stuffing attack that bypassed insufficient rate limiting and basic security controls.

For defenders, the severity here is existential. While passwords can be reset, genetic data and ancestry information are immutable. Once exposed, they can be used for highly targeted social engineering, insurance fraud, or tracking of family members. The lawsuit alleges that 23andMe failed to implement reasonable security measures, specifically lacking adequate multi-factor authentication (MFA) enforcement and bot detection. If your organization stores Protected Health Information (PHI) or high-value PII, this breach is a case study in what happens when identity security is treated as a compliance checkbox rather than a critical control.

Technical Analysis

Attack Vector: Credential Stuffing (T1110.004)

The initial intrusion vector was confirmed as credential stuffing. Attackers utilized large dumps of usernames and passwords leaked from previous, unrelated breaches to automate login attempts against the 23andMe platform.

  • Affected Component: Web Authentication Portal (DNA Relatives feature).
  • Vulnerability: Lack of robust rate limiting and absence of mandatory MFA for all users at the time of the breach.
  • Exploitation Requirements: Valid username/password pairs from previous data leaks and automation scripts (e.g., OpenBullet, Sentry MBA).
  • Exploitation Status: Confirmed Active Exploitation. Data was advertised for sale on dark web forums in October 2023.

Lateral Movement and Data Aggregation

Once initial accounts were compromised, attackers leveraged the platform’s “DNA Relatives” feature. This feature allows users to find genetic matches. By compromising one account, attackers could scrape the profiles of relatives, effectively bypassing the security of users who had strong, unique passwords but were genetically linked to a victim with a compromised password. This is a form of "data exfiltration via application business logic."

No CVEs were assigned as this was a failure of configuration and logic rather than a software vulnerability.

Detection & Response

Sigma Rules

The following Sigma rules target the behaviors associated with credential stuffing and the subsequent scraping of user data. These are designed to run on Web Server logs (Apache/Nginx) or SIEM ingested proxy logs.

YAML
---
title: Potential Credential Stuffing Attack - High Failed Auth Rate
id: a1b2c3d4-5678-90ab-cdef-1234567890ab
status: experimental
description: Detects a high volume of failed authentication attempts from a single source IP, indicative of credential stuffing.
references:
  - https://attack.mitre.org/techniques/T1110/004/
author: Security Arsenal
date: 2024/05/15
tags:
  - attack.credential_access
  - attack.t1110.004
logsource:
  category: web
  product: apache
detection:
  selection:
    sc_status|startswith: '40'
  condition: selection | count(src_ip) > 50 by src_ip within 1m
timeout: 30s
falsepositives:
  - Misconfigured legacy applications
  - Password spraying from a single authorized IP (rare)
level: high
---
title: Web Scraping of Sensitive User Profiles
id: b2c3d4e5-6789-01ab-cdef-234567890bcd
status: experimental
description: Detects potential scraping activity characterized by rapid successive successful 200 OK requests to profile-related endpoints.
references:
  - https://attack.mitre.org/techniques/T1219/
author: Security Arsenal
date: 2024/05/15
tags:
  - attack.collection
  - attack.t1219
logsource:
  category: web
  product: nginx
detection:
  selection:
    cs_method: 'GET'
    sc_status: 200
    cs_uri_stem|contains:
      - '/profile'
      - '/user'
      - '/relatives'
  condition: selection | count(src_ip) > 100 by src_ip within 5m
timeout: 30s
falsepositives:
  - Legitimate heavy usage by automated tools
level: medium

KQL (Microsoft Sentinel / Defender)

This KQL hunt query searches for Impossible Travel scenarios and high-frequency login failures typical of stuffing attacks.

KQL — Microsoft Sentinel / Defender
// Hunt for Credential Stuffing and Impossible Travel
let FailureThreshold = 20;
let TimeWindow = 5m;
SigninLogs
| where ResultType in ("50126", "50053", "50057", "50055") // Common AAD error codes for bad auth
| summarize FailedLogins = count() by bin(TimeGenerated, TimeWindow), IPAddress, UserPrincipalName
| where FailedLogins >= FailureThreshold
| join kind=inner (SigninLogs | where ResultType == 0) on IPAddress
| project TimeGenerated, UserPrincipalName, IPAddress, FailedLogins, AppDisplayName, Location
| distinct UserPrincipalName, IPAddress, FailedLogins, Location
| order by FailedLogins desc

Velociraptor VQL

While credential stuffing is a network/web attack, successful stuffing often leads to account compromise. On the endpoint, defenders should hunt for Information Stealers that may have provided the credentials used in the attack. This VQL artifact hunts for common info-stealer process artifacts.

VQL — Velociraptor
-- Hunt for Information Stealer Processes and Artifacts
SELECT Pid, Name, CommandLine, Exe, Username, CreateTime
FROM pslist()
WHERE Name IN ('redline.exe', 'lummac.exe', 'vidar.exe', 'stealer.exe', 'cryptbot.exe')
   OR CommandLine =~ '(?i)(https?://api\.telegram\.org|/upload|/inject)'
   OR Exe =~ 'C:\\Users\\.*\\AppData\\Roaming\\.*\\(?:Client|Update|Config)\.exe'

Remediation Script (PowerShell)

This script checks for users in Microsoft Entra ID (Azure AD) that do not have Multi-Factor Authentication (MFA) enabled. Enforcing MFA is the primary mitigation for credential stuffing.

PowerShell
# Remediation: Audit and Report Users without MFA
# Requires MS Graph PowerShell Module: Install-Module Microsoft.Graph

Connect-MgGraph -Scopes 'User.Read.All', 'Policy.Read.All', 'AuditLog.Read.All'

$MfaCondAccessPolicy = Get-MgIdentityConditionalAccessPolicy | Where-Object { $_.State -eq 'enabled' -and $_.GrantControls.BuiltInControls -contains 'mfa' }

if (-not $MfaCondAccessPolicy) {
    Write-Warning "No enforcing Conditional Access Policy for MFA found."
}

# Get all users
$Users = Get-MgUser -All -Property Id, DisplayName, UserPrincipalName, SignInActivity

# Check Sign-In Activity for MFA usage (Last 30 days)
$Date = (Get-Date).AddDays(-30)

$NonMfaUsers = foreach ($User in $Users) {
    $LastSignIn = $User.SignInActivity.LastSignInDateTime
    if ($LastSignIn) {
        $SignInLogs = Get-MgAuditLogSignIn -Filter "userId eq '$($User.Id)' and createdDateTime gt $Date" -Top 1
        if (-not $SignInLogs -or $SignInLogs.MfaDetail -eq $null) {
            [PSCustomObject]@{
                UserPrincipalName = $User.UserPrincipalName
                DisplayName        = $User.DisplayName
                LastSignIn         = $LastSignIn
                Status             = 'MFA Not Detected'
            }
        }
    }
}

if ($NonMfaUsers) {
    Write-Output "The following users signed in without MFA or MFA could not be confirmed in the last 30 days:"
    $NonMfaUsers | Format-Table -AutoSize
} else {
    Write-Output "Audit Complete. All active users appear to be compliant with MFA policies."
}

Remediation

To defend against credential stuffing attacks similar to the 23andMe breach, organizations must implement the following controls immediately:

  1. Enforce Multi-Factor Authentication (MFA): This is the single most effective control against credential stuffing. Require phishing-resistant MFA (FIDO2/WebAuthn) for all users, especially those accessing sensitive data like PHI.
  2. Implement Rate Limiting and IP Blocking: Configure WAFs (Web Application Firewalls) and load balancers to block IP addresses that exceed a threshold of failed login attempts (e.g., 5 failed attempts per minute).
  3. Deploy Bot Detection: utilize advanced bot management solutions that distinguish between legitimate browsers and automated scripts (headless browsers, curl, python-requests).
  4. Password Hygiene Monitoring: Integrate breach detection services (such as HaveIBeenPwned) into your password reset flows to prevent users from setting passwords that have already been leaked.
  5. Data Access Controls: Review the "DNA Relatives" equivalent in your applications. Ensure that data aggregation features do not allow transitive access to other users' PII without explicit consent for every access request.

Official Vendor Guidance: Review the CISA KEV Catalog for relevant authentication bypasses and ensure logging standards align with NIST 800-92.

Related Resources

Security Arsenal Healthcare Cybersecurity AlertMonitor Platform Book a SOC Assessment healthcare Intel Hub

healthcare-cybersecurityhipaa-compliancehealthcare-ransomwareehr-securitymedical-data-breach23andmecredential-stuffinghealth-data

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action