On December 4th, 2023, genetic testing company 23andMe confirmed a significant data breach impacting 6.9 million users. The breach, which was first reported by TechCrunch in October 2023, involved hackers gaining access to user data through a combination of credential stuffing and exploiting the “DNA Relatives” feature.
The hackers reportedly accessed the company’s servers and stole a ‘significant number’ of files containing ancestry data. Initially, 23andMe announced that personal data of about 0.1% of customers, or roughly 14,000 individuals, had been accessed. However, it was later confirmed that an additional 6.9 million users had their ancestry data stolen.
Details of the Breach:
- Number of Users Affected: 6.9 million
- Data Accessed: Ancestry information, health-related information for a subset of users, and family tree information for users who opted into the “DNA Relatives” feature.
- Method of Access: Credential stuffing (using leaked usernames and passwords from other websites) and exploiting the “DNA Relatives” feature.
- Timeline: Initial breach acknowledged in October 2023, additional details revealed in December 2023.
The Scope of the Breach:
- 5.5 million DNA Relatives profiles: This included display names, login activity, percentage of DNA shared with matches, predicted relationships, self-reported location, birth year, family tree details, and potentially uploaded photos.
- 1.4 million Family Tree profiles: Hackers gained access to display names, relationship labels, birth years, and geographic locations (if shared).
The first indication of the breach emerged in October when a hacker posted online claiming to possess 23andMe user profile information. This information, disclosed by 23andMe in a Securities and Exchange Commission filing, served as the initial alarm bell.
The Stolen Data
The hackers gained access to information from 5.5 million DNA Relatives profiles. This includes a display name, how recently they logged into their account, percentage of DNA shared with their DNA relatives’ matches and predicted relationship with that person. It also may include self-reported information like geographic location, birth year, family tree and any photos they may have uploaded.
In addition, hackers were able to access the Family Tree profile information of about 1.4 million other customers participating in the DNA Relatives feature. This includes display names and relationship labels. Information may also include birth year and geographic location if the user chose to share that data.
The Aftermath
23andMe has launched an investigation into the breach with the help of third-party forensic experts. The company has also taken steps to improve security, including requiring two-factor authentication for all users. The incident is likely to prompt a review of security protocols, not only at 23andMe but across the industry.
As the investigation continues, users are advised to monitor their accounts for any suspicious activity and to report any concerns to 23andMe directly. The company is expected to provide updates as more information becomes available.
This incident serves as a stark reminder of the importance of robust cybersecurity measures in protecting sensitive user data. It also highlights the need for transparency from companies in communicating such incidents to their users and the public.