Lessons from the 23andMe Breach and NIST SP 800-63B

Preventing Credential Stuffing

Introduction

In 2023, personal genomics company 23andMe suffered a major data breach that exposed sensitive genetic and personal information of nearly 7 million people. The breach was ultimately traced to a credential stuffing attack, in which hackers used lists of stolen username/password pairs from previous breaches to hijack 23andMe user accounts. This incident demonstrates the dangers of weak password practices. It also demonstrates the grave consequences of ignoring modern password security guidelines like NIST Special Publication 800-63B, which explicitly addresses these issues.

Less than 18 months after the breach, 23andMe was hit by an avalanche of lawsuits and declared Chapter 11 bankruptcy in March 2025. CISOs and security teams should study this case to understand how credential stuffing prevention failures – from not screening for compromised passwords to lack of rate limiting and poor authorization design – can devastate an organization. This blog post, which accompanies the video below, examines the 23andMe breach as a case study, explains the importance of adhering to NIST’s password guidelines, and provides actionable recommendations to help prevent credential stuffing attacks.

Case Study: The 23andMe 2023 Breach

Credential Stuffing Unleashed: In October 2023, 23andMe disclosed that a hacker had accessed data from approximately 7 million customer accounts. The attacker initially compromised around 14,000 user accounts by leveraging credential stuffing – trying username/password combos stolen from other sites until some worked on 23andMe. Because many 23andMe users reused passwords that had been exposed elsewhere, the attacker easily gained footholds. The attack succeeded due to absent protections: 23andMe did not adequately detect or throttle the rapid login attempts. In short, weak password hygiene and missing defenses opened the door.

Data Exposure via Poor Authorization: The impact of the breach was magnified by a design flaw in 23andMe’s systems. The attacker exploited an interconnected data-sharing feature (“DNA Relatives” and family tree tools) that allowed one compromised account to retrieve data from many other connected profiles. As a result, a breach of ~14,000 accounts snowballed into exposure of ~7 million users’ data including names, photos, birth years, locations, ancestry details, and even health information. This poor authorization design violated the principle of least privilege: a single account had access to far more data than it should have. The 23andMe breach illustrates how not implementing strict access controls can turn a small intrusion into a catastrophic data leak.

Immediate Aftermath: Once the incident came to light (sparked by hackers selling 23andMe profiles on a dark web forum, the company scrambled to respond. It forced password resets for all users; but the damage was done – personal genetic data was circulating online, and the incident sparked outrage. Multiple class-action lawsuits alleged negligence and privacy violations by 23andMe. Regulators also took notice; for example, the California Attorney General publicly urged 23andMe customers to delete their data from the service. All of this was a direct consequence of security oversights that could have been prevented.

From Breach to Bankruptcy: The Cost of Ignoring Best Practices

The fallout from 23andMe’s breach was severe and ultimately existential for the company. Trust in the platform evaporated as news spread that attackers had obtained sensitive DNA-related information. About half of 23andMe’s customer base was affected. User confidence plummeted – many of the 15 million customers scrambled to delete their genetic data from 23andMe’s archives. Revenues fell sharply as new business dried up. The company faced not only lawsuits but also enormous reputational damage and customer attrition.

By March 2025, 23andMe filed for voluntary Chapter 11 bankruptcy protection, seeking to restructure and sell off assets. In the bankruptcy announcement, 23andMe’s leadership acknowledged the 2023 data breach had inflicted a lasting blow. The breach invited litigation and liabilities, and even in bankruptcy proceedings there were concerns about personal data being treated as an asset for sale. In short, ignoring fundamental password security practices and NIST guidelines led to a breach with consequences so costly that it helped drive a once high-flying company into insolvency. For CISOs, this case is a reminder that lax password controls and poor security design can directly threaten an organization’s survival.

Credential Stuffing and NIST SP 800-63B Password Guidelines

Credential stuffing is a form of brute-force attack where attackers take usernames and passwords leaked from other breaches and try them on new targets, banking on the fact that users often reuse credentials. It’s an incredibly common tactic – and as 23andMe learned, it’s devastatingly effective when basic defenses are absent. What makes credential stuffing successful? In 23andMe’s case, several failures aligned with what NIST SP 800-63B warns against:

• Use of Compromised Passwords: Many 23andMe users had chosen passwords that were already exposed in past breaches. The company did not screen or block these known compromised passwords during account creation or resets. NIST’s guidelines explicitly recommend checking new passwords against breach corpuses and disallowing those found in lists of common or compromised passwords. Had 23andMe implemented such screening, it could have prevented users from keeping insecure, reused passwords – cutting off the fuel that fed the credential stuffing attack.
• Lack of Rate Limiting on Logins: The attackers were able to bombard 23andMe’s login system with thousands of credential attempts (potentially distributed across many IPs to avoid simple IP blocks). There was no effective rate limiting or throttling to stop this onslaught. NIST SP 800-63B clearly mandates that verifiers “implement a rate-limiting mechanism” to limit the number of failed login attempts on an account. Without throttles, the attackers could try an unlimited number of stolen credential pairs, dramatically increasing their success rate. Proper rate limiting (and anomaly detection for login behavior) would have slowed or stopped the credential stuffing in its tracks.
• Poor Least-Privilege Design: Finally, 23andMe’s authorization model violated the principle of least privilege. Users who opted into the DNA Relatives feature could unwittingly expose their data to anyone who compromised a relative’s account, due to overly broad data-sharing permissions. Security frameworks (such as NIST SP 800-53) emphasize designing systems so that even if one account is breached, it cannot massively exploit data from others. In practice, 23andMe should have restricted the amount of data accessible via any single account and monitored for abnormal access patterns (e.g. one account downloading thousands of profiles). The failure to do so turned a credential stuffing incident into a multi-million record breach.

In summary, 23andMe’s breach clearly shows why the NIST SP 800-63B password guidelines exist. The standard advises organizations to adopt modern password policies: use 8+ character passwords (encouraging longer passphrases), drop arbitrary complexity rules, avoid forced periodic resets, but critically block passwords known to be compromised. These measures directly address the weak points that credential stuffing exploits. By ignoring NIST’s guidance, 23andMe left itself vulnerable.

Best Practices for Credential Stuffing Prevention

To protect your organization from credential stuffing and similar attacks, security leaders should implement a multilayered defense. Below are key technical best practices (many derived from NIST guidelines) that CISOs can act on immediately:

• Real-Time Password Screening: Enforce real-time checks of all new or changed passwords against a dynamic blocklist of compromised or common passwords. This ensures users (or administrators) cannot set a password that is known to be unsafe. Screening credentials against billions of leaked passwords and dictionary words is one of the most effective ways to strengthen password security. By catching weak or reused passwords at creation, you neutralize the fuel for credential stuffing attacks.
• Enforce Strong, Unique Passwords: Establish policies that encourage or require passwords to be unique to your organization and not reused on other services. Users should create passwords of significant length (NIST suggests 8+ characters minimum) without restrictive complexity rules – and those passwords must not have appeared in any prior breach. Regularly remind employees not to use corporate credentials elsewhere. The goal is to minimize credential reuse and ensure that a breach on another site cannot translate into a breach of your systems.
• Monitor for Credential Compromise: Don’t rely on one-and-done password checks. Continuously monitor for indications that user passwords or accounts have been exposed in a breach. Subscribe to breach notification feeds or use APIs that alert you when a known username/password combination from your domain appears in new dumps. If an employee’s credentials show up in a breach corpus, take proactive action: reset that password, investigate for any suspicious logins, and coach the user on security. Real-time compromised credential monitoring acts as an early warning system before attackers can exploit the data.
• Rate Limiting and Anomaly Detection: Implement strict rate limiting on authentication attempts to thwart automated attacks. For example, after a few failed login attempts, exponentially back off or temporarily lock the account (and alert the user). Additionally, use anomaly detection on login activity: flag logins from unusual locations, impossible travel between logins, or high-volume login attempts across many accounts. Modern bot detection solutions can also identify and block credential stuffing tools even when they rotate IP addresses. Throttling and smart detection significantly raise the cost for attackers and can shut down credential stuffing efforts before they succeed.
• Least-Privilege Architecture: Design applications and data access with least privilege in mind. Compromises can happen, but intentional architecture limits the blast radius. Audit what each account or service is truly authorized to access and segment data aggressively. For example, prevent large-scale data pulls from user-level accounts, and use context-based access controls to detect unusual data access patterns. Also ensure that one compromised user account cannot directly fetch massive amounts of other users’ private information. By containing what an attacker can do with one set of credentials, you turn a potential large breach into a much more manageable incident.

By implementing the above practices, organizations can achieve true credential stuffing prevention rather than reacting after the fact. These measures align closely with NIST SP 800-63B and other industry standards – and, more importantly, they have been proven to mitigate the very weaknesses that attackers exploited at 23andMe.

Enforcing NIST Guidelines with Enzoic’s Solutions

While the best practices above can be implemented with sufficient time and ongoing engineering effort, many organizations find it challenging to operationalize continuous password security on their own. This is where Enzoic’s solutions come into play – offering turnkey tools to help enterprises proactively enforce NIST password standards and stop credential stuffing.

Enzoic for Active Directory: For organizations using Microsoft Active Directory, Enzoic provides a seamless way to harden your password policy and monitor credentials in real-time. Enzoic for Active Directory is an easy-to-install plugin that continuously checks new and existing AD passwords against a massive database of known breached passwords and unsafe password patterns. If a user tries to set a password that is found in Enzoic’s extensive blacklist (built from billions of compromised credentials), it will be rejected, enforcing NIST’s blacklist requirements automatically. The plugin also monitors AD passwords continuously by sending secure hash queries to Enzoic’s cloud database, so if an employee’s password later appears in a new breach, the system can immediately flag the account and prompt a reset. Enzoic for Active Directory essentially ensures that every password in your domain remains in compliance with NIST 800-63B guidelines with minimal admin effort. This drastically reduces the window of exposure for credential stuffing attacks using previously compromised passwords. (Learn more about Enzoic for Active Directory here.)

Enzoic APIs: For non-AD environments, customer-facing applications, or any scenario where you need flexible integration, Enzoic offers APIs. The Enzoic APIs allow you to integrate with Enzoic’s massive database of breached accounts and compromised credentials in your own systems. For example, using Enzoic’s Passwords API or Credentials API, a CISO can have their development team add real-time password checks and user credential monitoring to an enterprise application or customer portal. The APIs support hashed queries (so you don’t expose plaintext passwords) and can return information about whether a given credential has appeared in public breach data. This makes it straightforward to screen user passwords at signup or login and prevent the use of known breached passwords. In addition, Enzoic’s APIs enable ongoing monitoring – you can programmatically query for exposures of your users’ emails or set up webhooks to be alerted when new breaches including your domains are discovered. In short, the API solution gives you multiple options for proactively avoiding credential exposure and stopping attackers before they get in. (Explore Enzoic’s API documentation for technical details.)

By leveraging Enzoic for Active Directory and Enzoic’s APIs, organizations can dramatically improve their credential defense posture without reinventing the wheel. These tools embody a defense-in-depth approach: they continuously eliminate compromised passwords from your environment, provide real-time alerts if new exposures occur, and help ensure your password policies meet NIST guidelines by default. As an added benefit, removing weak passwords and reducing forced resets improves the user experience and lowers IT support burdens; security is enhanced without frustration for end-users. With Enzoic, organizations can confidently shut the door on credential stuffing while freeing up their security teams to focus on other threats.

Conclusion and Call to Action

The 23andMe breach is a reminder that even innovative companies with valuable data can be brought down by something as basic as weak password security. Credential stuffing prevention must be a top priority for security teams in every industry. The costs of inaction are simply too high, as 23andMe’s bankruptcy shows. Fortunately, we know what works: adhering to standards like NIST SP 800-63B, deploying modern password controls, and using tools that continuously screen and monitor credentials for compromise. By implementing the best practices outlined above, and leveraging solutions like Enzoic for Active Directory and Enzoic’s APIs to automate and maintain those practices, organizations can stay one step ahead of attackers.

Don’t wait for a breach to force your hand. Take proactive action now to harden your password defenses and eliminate the easy openings for attackers. Enzoic’s enterprise-ready solutions can help you get there quickly, whether by upgrading your Active Directory password security or integrating breach monitoring into your applications. The downfall of 23andMe shows that the consequences of ignoring password security are dire, but with the right strategy and tools, credential stuffing and password-based attacks are preventable.

Protect your organization by making credential hygiene and monitoring a core part of your security program – and consider Enzoic as a partner to achieve that goal.

AUTHOR

Josh Parsons

Josh is the Product Manager at Enzoic, where he leads the development and execution of strategies to bring innovative threat intelligence solutions to market. Outside of work, he can be found at the nearest bookstore or exploring the city’s local coffee scene.