The recent news of 23andMe filing for bankruptcy resonates deeply for anyone in fraud prevention. While reports highlight various financial struggles for the genetic testing company, the seeds of this downfall were significantly sown by the massive 2023 data breach that began with credential stuffing attacks.
What Happened
Attackers leveraged credentials compromised elsewhere — that consumers unfortunately reused on their 23andMe accounts — to expose sensitive genetic and ancestry data of over 6.9 million customers.
A class action lawsuit followed, alleging failure to protect customer privacy and inadequate notification — particularly to those with Chinese or Ashkenazi Jewish heritage who appeared to be specifically targeted. 23andMe agreed to a $30 million settlement. Cyber insurance will cover approximately $25 million, but the remaining $5 million, coupled with substantial legal expenses, still represents a significant burden.
The breach “dealt a big blow to the already struggling company.” NPR noted that the bankruptcy announcement came less than two years after the breach. CNBC highlighted the cyberattack as part of a “turbulent period” that, combined with revenue challenges, led to the Chapter 11 filing.
Why This Matters
Organizations bear a responsibility to protect their users from the foreseeable risks of credential stuffing attacks. Relying on consumer password habits as a defense — essentially saying “there’s nothing we can do” — is no longer acceptable, especially when dealing with highly sensitive data like genetic information.
Interestingly, as part of the settlement, 23andMe agreed to mandate Multi-Factor Authentication going forward. While MFA is valuable, relying solely on user adoption is challenging. Organizations need more passive, behind-the-scenes ways to protect against credential stuffing.
There’s a Better Way
The good news: it doesn’t have to end this way. Detecting when compromised credential pairs are presented at login, account creation, or password change events allows for proactive intervention — preventing account takeover before it happens.
With a repository of over 35 billion compromised credential pairs, updated daily with 15 million new additions, organizations can stay ahead of these threats and protect their users, ultimately safeguarding their bottom line and reputation.
The 23andMe bankruptcy is a sobering event. Ignoring the risk of credential stuffing is no longer a viable option.
The mechanics of how email became the digital economy’s most consequential vulnerability, the case studies that should have changed everything, and what a continuous intelligence approach actually looks like — all documented in “The Lying Gatekeeper,” a special report from myNetWatchman.
Read the Full Report →