top of page

A Tragedy of the Commons: Credential Stuffing and 23andMe

Imagine a thief, but instead of lockpicks and crowbars, their weapons are usernames and passwords. Their lockpicks are replaced by troves of credentials they buy on the black market and then stuff every possible iteration of usernames and passwords a given set of people have tried into websites until they get access. This is the essence of a credential stuffing attack, a growing threat . Let's dissect this cybercrime (because that is what these attacks ultimately are), from its shadowy origins to its potential consequences.

The Layered Approach:

  1. Breached Credentials: The attack begins with a treasure trove of stolen login credentials, often harvested from data breaches of websites, social media platforms, or even malware infections. Think of it as a hacker's supermarket of usernames and passwords.

  2. Automated Injection: These stolen credentials are then fed into automated tools that rapidly attempt to inject them into API endpoints (when rate throttling isn’t enabled), login forms across various websites, and online services. It's like a digital shotgun blast, spraying stolen keys at every lock hoping for a match. The more a credential has been re-used, the higher the chance it will find success on more services.

  3. Success and Exploitation: If a username and password pair magically opens a door, the attacker gains unauthorized access to the victim's account. This stolen access can be used for various nefarious purposes, such as like financial fraud, identity theft, data exfiltration, and even acts of sabotage, like deleting data or misinformation.

Credential stuffing attacks exploit a common human weakness: password reuse. Many people, unfortunately, use the same username and password combination across multiple websites. This makes them sitting ducks for attackers who only need to find one successful match to unlock a chain of accounts. There are ways for individuals to protect themselves, like:

  • Unique Passwords: Create strong, unique passwords for every single online account . A password manager like Secret Chest can be a helpful tool to keep track of them all.

  • Two-Factor Authentication: Enable two-factor authentication (2FA) wherever possible. This adds an extra layer of security by requiring a second verification step, like a code sent to a phone, even if a password is compromised.

  • Beware of Phishing: Phishing emails and websites can trick people into revealing their login credentials. Always be cautious about suspicious links and never enter a password unless  sure it’s being done on a legitimate website.

  • Regular Updates: Keep software and operating systems up to date. These updates often include security patches that can help protect  from known vulnerabilities.

  • Go Passwordless: Passkeys offer an alternative to passwords and can’t be used on devices unless they were created on them (or shared to them intentionally).

These steps can help make  online accounts much less vulnerable to credential stuffing attacks. A little vigilance can go a long way in keeping digital doors firmly shut against unwanted intruders. It also helps to understand that when it comes to a lot of these online services, the impact goes potentially far beyond the compromised account (some don’t worry about themselves but might worry about others).

Thinking of Security As A "Common"

The "tragedy of the commons" is a concept that describes a situation where individuals, acting in their own self-interest, deplete a shared resource to the detriment of everyone involved. Imagine a communal pasture where each villager can graze their sheep freely. Initially, everything works well as there's plenty of grass for everyone's sheep. However, as more villagers join the community, each individual sees the benefit of adding more sheep to their flock, as they only benefit from their own livestock, not the overall health of the pasture.

This leads to a classic dilemma:

  • Individual benefit: Adding more sheep brings immediate personal gain for each villager.

  • Collective cost: Overgrazing eventually depletes the grass, leading to a decline in the pasture's productivity, ultimately harming everyone.

  • As more and more sheep are added, the resource eventually suffers, leaving everyone worse off. This "tragedy" underscores the potential conflict between individual desires and the long-term sustainability of shared resources.

The concept has applications in various contexts, including:

  • Environmental resources: Overfishing, deforestation, and pollution are examples of how uncontrolled exploitation of shared environmental resources can lead to their depletion and harm everyone who relies on them.

  • Public goods: Unrestricted access to public resources like water or infrastructure can lead to overuse and neglect, jeopardizing their long-term functionality and availability for everyone.

  • Digital commons: Open-source software or online communities can face similar challenges if individuals contribute minimally while enjoying the collective benefits, potentially leading to underdevelopment or abandonment.

The "tragedy of the commons" serves as a cautionary tale, highlighting the importance of managing shared resources responsibly. It emphasizes the need for cooperation, regulations, or alternative management strategies to ensure sustainable use and prevent depletion, benefitting everyone in the long run. Any web app or system that links a users online content to that of another becomes a common in this context. If a user installs or plays a game from their Facebook account, a massive scandal like the fallout from such an app caused for Cambridge Analytica. When Simulmatics helped Kennedy get elected in what could be argued as the first Big Data election, they had to have operatives canvas districts they hoped to flip electors for - now it can be as simple as a Facebook app, and done without consent.

Data is power, and spidering through massive troves of data represents one of the greatest potential threats facing the world today, as it can be wielded to disrupt perception - and turn perception into reality. Data obtained from social networks has been more psychological in nature. However, nothing is more fundamental to a human than DNA. 23andMe sits on one of the largest troves of DNA data in the world. This leaves the world in a whole new place, where many are used to thoughts and feelings that have been shared online being out there for anyone to access, but now deeply personal medical and familial information can be as well.

The 23andMe Wake-Up Call

The news of the recent 23andMe data breach sent shockwaves through the personal genomics landscape, raising concerns about the sensitivity of genetic information and its vulnerability in the digital age. To understand the full scope of this incident and its potential impact, let's delve into the timeline of events and the ongoing issues it has brought to light.

October 1st, 2023: A threat actor posts online claiming access to and sale of 23andMe user data.23andMe launches an investigation.

October 26th, 2023: Initial findings revealed. 23andMe confirms unauthorized access to roughly 14,000 user accounts through "credential stuffing," using compromised passwords from other websites. No direct breach of its systems is found.

December 5th, 2023: The picture widens. An amended filing to the Securities and Exchange Commission (SEC) discloses the broader impact. An additional 5.5 million users and 1.4 million Family Tree users had their profiles exposed through connections to the compromised accounts. Ancestry information, but not raw genetic data, appears affected.

Present Day: Questions linger. While 23andMe continues to address concerns, several issues remain unaddressed:

  • Full Extent of the Breach: The extent of information accessed beyond ancestry data remains unclear. Some reports suggest ethnic heritage and health traits may have been exposed.

  • Potential Misuse of Data: The potential for misuse of sensitive genetic information for discrimination, targeted advertising, or even medical insurance concerns users and privacy advocates.

  • Transparency and Accountability: Critics question the initial downplaying of the breach and demand greater transparency from 23andMe regarding its data security practices.

The 23andMe team responded with the following:“… unauthorized actors managed to access certain user accounts in instances where users recycled their own login credentials—that is, users used the same usernames and passwords used on as on other websites that had been subject to prior security breaches, and users negligently recycled and failed to update their passwords following these past security incidents, which are unrelated to 23andMe.”

This is clearly legal speak. Lawyers effectively blamed users - and they’re not entirely wrong. See, 23andMe has two factor authentication (2FA) available. Users aren’t forced to enable it. While the legal team can wipe their hands and try to avoid a class action, the 23andMe breach serves as a stark reminder of the vulnerability of personal data in the digital age, particularly sensitive information like genetic information. It underscores the need for stronger data security measures.

The Impact

Companies like 23andMe must prioritize robust security measures and regularly evaluate their vulnerabilities. This means rate limiting logins (and API access) from specific addresses, employing anomoly detection to isolate bad actors, forcing 2FA for those who can provide access to the data of another, being more cautious about what “integrations” (or API access) can get and vetting those who keys are handed out to, checking haveibeenpwned or another service to see if a credential is being re-used from a service that has been compromised, using an identity provder rather than hashed passwords in their own database, going passwordless, and most importantly just operating with a security mindset.

User education and awareness is also key. Users need to be educated about online security practices and the implications of sharing sensitive data. This isn’t a vendor like 23andMe’s job - but it’s not-not their job. If they had led a campaign to try to force all users into using a multi-factor authentication, they wouldn’t be immune from legal action, but it would be yet another attribute to mitigate the impact. Yet it’s hard for a product manager to justify what amounts to risk management. and potentially more friction into a login process for many of the less savvy users.

23andMe is probably going to be one of many major attacks in this era that will lead to enhanced regulatory frameworks. All developers will have stronger regulations and ethical guidelines when it comes to handling genetic data, or just protecting individual privacy and preventing misuse of data. Existing regulations govern the use of financial data, or with a framework like SOC2, vendors are expected to meet certain standards. Some of these provide remedies and governance for specific industries, as with the Sarbanes–Oxley Act. However, it’s more and more clear that ALL data stored online can be weaponized as a “common.”

The 23andMe breach is a watershed moment in the world of personal genomics. While the full consequences are still unfolding, it's a wake-up call for increased vigilance, open communication, and a reassessment of how we handle not only our most personal data in the digital era, but all of our data.

16 views0 comments

Recent Posts

See All


bottom of page