A07 · Authentication Failures

✗ 13,999 rejected✓ 1 matched

A07

OWASP Top 10 · 2025

Authentication Failures

14,000 reused passwords. No MFA. No anomaly detection. Five months unnoticed. 6.9 million genetic profiles exposed.

// 23andMe — 2023 — five months, nobody noticed

In April 2023, an attacker began feeding stolen credentials from previous breaches into 23andMe's login page. The credentials came from other companies' breaches — LinkedIn, Adobe, Dropbox. Users had reused their passwords. 23andMe didn't require MFA. The password minimum was eight characters. There was no credential stuffing detection. The attack ran for five months.

Apr '23

Attack begins

Jul '23

1M logins in one day

Aug '23

"Hoax" dismissed

Oct '23

Data sold online

Dec '23

6.9M confirmed

Mar '25

Bankruptcy filed

↑ click any event to see what happened ↑

// identify the authentication failure

14,000 accounts were directly compromised. But 6.9 million profiles were exposed. What turned a credential stuffing attack into a mass data breach?

🔑 Weak passwords

Users chose passwords that were easy to guess, making their accounts vulnerable to brute force.

🔗 No MFA + data sharing cascade

No second factor required, and DNA Relatives automatically shared profiles with genetic matches.

🕵️ No encryption

The genetic data was stored unencrypted and could be downloaded without verification.

🌐 API vulnerability

An unpatched API endpoint allowed the attacker to bypass the normal login flow entirely.

// find the authentication failure

Express.js login endpoint. The password check works. The session is created correctly. One missing control makes this endpoint a credential stuffing target. Click the line.

auth/login.js

// the cascade

step 1 of 4

Break the chain at every link.

missing

added

No single fix would have prevented the entire breach. But any one of these would have dramatically reduced the blast radius.

🎯 the one habit

Enforce MFA — not optional. Check passwords against breach databases at registration. Assume every password in your database has been compromised elsewhere.

Node.js

Python

Java

auth/login.js

click the dot

// knowledge check

1 / 3

A credential stuffing attack tests 10 million stolen credential pairs against your login endpoint. The typical success rate is 0.1%. How many accounts are compromised?

A — 10,000 accounts — and each one can access data shared by connected users, multiplying the impact

B — Effectively zero — modern password hashing makes credential reuse attacks computationally infeasible

C — Approximately 100 accounts — the success rate drops significantly on well-built login endpoints

// knowledge check

2 / 3

After the breach, 23andMe argued that users were at fault for reusing passwords. Who bears the security responsibility?

A — The users entirely — they chose weak passwords and reused them across services against all advice

B — The original breached companies — they leaked the credential pairs that made the attack possible

C — The platform — it must assume credential reuse and defend against it with MFA, rate limits, and detection

// knowledge check

3 / 3

OWASP recommends treating passwords as a sole authentication factor as fundamentally insufficient. What alternative does NIST 800-63 now endorse?

A — Longer passwords with mandatory complexity rules, special characters, and forced rotation every 90 days

B — Multi-factor authentication on all important systems, with password complexity rules simplified, no rotation

C — Biometric-only authentication replacing passwords entirely, with fingerprint or facial recognition required

// self-check complete

// the mental model

carry this into your next auth review

Passwords are shared secrets that have already been shared. Your authentication layer must assume every password in your database has been compromised somewhere else — and still hold.

A07 · Authentication Failures

Scope in 2025

Credential stuffing · session fixation · missing MFA · hardcoded credentials · weak recovery

▶

A07 holds #7 in 2025 with a name change from "Identification and Authentication Failures" to "Authentication Failures." 36 CWEs mapped, 1.12M occurrences, 7,147 CVEs. Key CWEs: CWE-259 (hardcoded password), CWE-287 (improper authentication), CWE-384 (session fixation), CWE-798 (hardcoded credentials). Verizon's 2025 DBIR: compromised credentials were the initial access vector in 22% of breaches. OWASP now explicitly includes hybrid password spray attacks alongside classic credential stuffing. Ownership is split: developers must enforce MFA in the flows they own; the platform team owns the identity provider (IdP), edge rate limiting, bot detection, impossible-travel rules, and anomaly detection. Both sides must act.

First fix

Enforce MFA on all accounts — not optional, not "recommended," required

▶

23andMe offered MFA since 2019 but didn't require it. After the breach, they made it mandatory — too late. OWASP and NIST 800-63 both recommend: enforce MFA on all important systems. Stop requiring password rotation and complex character rules (users circumvent them with Password1! → Password2!). Use breached password checking (Have I Been Pwned API) to reject known-compromised passwords at registration and change time. Note: an 8-character minimum alone isn't the failure — NIST 800-63B accepts 8 characters as a floor. The real failures at 23andMe were no MFA, no breach-corpus check, and no stuffing detection. Length policy is the least important layer.

Defence in depth

Rate limiting · anomaly detection · session management · credential screening

▶

Rate limit login attempts per account (not just per IP). Log all failures and alert on spikes. Detect anomalous logins — new country, new device, impossible travel. Invalidate sessions on logout, enforce idle timeouts, and generate new session IDs after login (prevents session fixation). Check passwords against breach databases at registration. Use a well-tested auth library or service — don't build your own.

// check your authentication today

Five things you can verify right now.

Multi-factor authentication

Is MFA required — not optional — for all user accounts?

Is rate limiting per account, not just per IP? What happens after 5 failures?

Breached password checking

Do you check passwords against Have I Been Pwned at registration and change?

Session management

New session ID after login? Invalidated on logout? Idle timeout enforced?

Anomaly detection

Would you detect a login from a new country? 1,000 failures in an hour? A 5-month slow attack?

0 / 5