Bishop Fox named “Leader” in 2024 GigaOm Radar for Attack Surface Management. Read the Report ›

News Insights: 23AndMe with Alethe Denis, Security Expert - Red Team

Alethe Denis, a Bishop Fox Senior Red Team consultant and Social Engineering expert, reveals her quick-take perspective on what she sees as different about the 23AndMe breach, and how it’s viewed by someone who is a career social engineer.

In an SEC filing on Friday, Dec 1, genetic testing company 23andMe provided some, but not all of the details around a compromise first reported in Oct. Alarmingly, in the intervening weekend since the SEC report, the compromise of 14,000 users, or 0.1% of the customer base, has grown into nearly 7 million “affected” users, or half of the customer base. This is due to the sharing of profiles and genetic data between users and their relatives or potential familial connections. The reports state:

  • The initial 14,000 users exposed “ancestry information, and, for a subset of those accounts, health-related information based upon the user’s genetics.
  • 5.5 million people who had opted-in to the “DNA Relatives” sharing feature had exposed information including name, birth year, relationship labels, the percentage of DNA shared with relatives, ancestry reports and self-reported location
  • An additional 1.4 million people who opted-in to “DNA Relatives” also “had their Family Tree profile information accessed,” which includes display names, relationship labels, birth year, self-reported location and whether the user decided to share their information

With news awash in all types of breaches on virtually a daily basis, some will put this on the ever growing pile of “Personally Identifiable Information” or PII exposures, and/or focus on the supposed password reuse that was the catalyst for the initial compromise. However, we wanted to go a little deeper. We asked Alethe Denis, a Bishop Fox Senior Red Team consultant and Social Engineering expert, for her quick take perspectives on what she sees as different about this breach, and how it’s viewed by someone who is a career social engineer. With regards to the specifics of what data is available and the connective threads between users, Alethe offers up how she would approach using the information to underpin a social engineering campaign, some of the creative and specific things she’d consider, and and for what she would counsel 23andMe users to be on the lookout.

Microsoft Teams image 13

About the author, Alethe Denis

Senior Security Consultant

Alethe Denis is a Senior Security Consultant at Bishop Fox. She is best known for social engineering, open-source intelligence (OSINT), and performing security assessments and trainings for both the private and public sectors with emphasis on critical infrastructure organizations. Alethe was awarded a DEF CON Black Badge at DEF CON 27 for Winning the 10th annual Social Engineering Capture the Flag (SECTF) contest. Using both OSINT and Social Engineering skills, she compromised her target Fortune 500 company using just a telephone. She, along with her teammates, received a bronze, silver, most valuable OSINT, and black badge award from a series of TraceLabs capture-the-flag contests, including first place in

She’s a frequent conference speaker and podcast guest, including speaking at DerbyCon, BsidesSF and ConINT, as well as an appearance on the TraceLabs, Layer 8 Conference, and Darknet Diaries podcasts.

Alethe is always focused on giving back to the information and cybersecurity community, including her work conducting free Security Awareness Trainings and hosting workshops for people who want to get into the cybersecurity industry.

More by Alethe

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.