So what actually happened?
Hackers used stolen login information from data leak forums and tried to log into 23andMe using those same stolen email and password combinations. This tactic is called “credential stuffing”.I don’t get it.
To remove any confusion, here it is spelled out. Hackers downloaded stolen email and password combinations from different data leaks sites on the dark web. For example, let’s say at some point someone’s Facebook account was hacked. And let’s say that person used their email johndoe@gmail.com and favorite password that they never forget “Password123” to log into their Facebook account. The hackers then took a gamble and tried to log into 23anMe using the same username and password combinations to log in. And the hackers got lucky 14,000 times. On 23andMe, users have the option to share ancestry and genetic information with relatives with whom they’re related. So even though the hackers got into 14,000 accounts, by doing so they actually gained access to records belonging to 6.9 million people.Yikes. So what can we learn from this?
Well, before we get into that, let’s see what mistakes were made by these hacked users that allowed the hack to happen in the first place.- For starters, the hacked users used the same email and password combination on more than one platform. This is a huge “no no”, which you likely learned already through Cyber Command's Cybersecurity Training portal.
- The hacked users also did not have two factor authentication (2FA) enabled on 23andMe. How do we know this? Because if they had enabled 2FA, then the hackers would have had to enter a 2FA code, either from the actual user's phone, or from an authenticator app. Without 2FA codes, the hackers would not have been able to get into the 23andMe accounts.
So, now what can we learn from this?
- Always use complex passwords.
- Always use unique passwords.
- Always enable 2FA on every platform to which you have access.
What do you mean by complex passwords?
We define a complex password as one that uses uppercase and lowercase letters, numbers and symbols, and is at least 14 characters long.What do you mean by unique passwords?
Unique passwords means that they are not the same or similar to another password used. This means that you should not simply add an exclamation point or an @ sign to the end of your favorite password used on a different site, because this does not constitute unique. Passwords should be truly unique, and not similar to any other. Knowing your password to one account should not in any way give a hacker the clues needed to break into a different account of yours.How important is it to use complex passwords?
Exceedingly important. Let’s say you have a favorite password that you use. The password is easy to remember, you use it all the time, and is a combination of “stuff” that only you know. Let’s use 37Av@tArs as our example for the password.That password has uppercase and lowercase letters, numbers and symbols. So, what’s the problem with that password?
The problem is that as complex as the password is, the password only has 9 characters, and took only one minute to hack using brute force password attacking software that anyone can download for free from the Internet. Here is a chart that illustrates different password types and how long it would take for a hacker to crack. https://cybercc.org/wp-content/uploads/2022/07/2024-crack.jpgOk. So remind me, what again is a secure password?
The short answer is, your passwords should have the following characteristics to be considered secure.- Uppercase letters.
- Lowercase letters.
- Numbers.
- Symbols.
- Be at least 14 characters long, but preferably be 18 characters long.
Whoa. According to the chart, even a 13 character password will take forty seven (47) years to crack. Why do we need to go crazy overboard?!
That is a great question. As you likely already know, technology is getting better and faster each year, and shows no signs of slowing down. Because the machines used by hackers (the same ones we buy in stores) are getting faster, so too it takes less time to crack a password using a newer computer than it does using an older computer. For example…- In 2020, it would have taken a whopping 34,000 years to crack a 12-character password with uppercase and lowercase letters, numbers and symbols. In 2023 however, it only takes eight months to crack.
- In 2020, it would have taken 5 years to crack a 10-character password with uppercase and lowercase letters, numbers and symbols. In 2023 however, it only takes 4 days to crack.
Let’s bottom line this.
Follow these rules.- Always use secure passwords. (Complex + Unique = Secure.
- Always enable 2FA on any and every platform.
