Genetic testing company 23andMe recently disclosed to the U.S. Securities and Exchange Commission that they had a data breach which affected approximately 14,000 customer accounts. The breach exposed a fraction of the company’s vast customer base to unauthorized access and potential misuse of sensitive information.
Incident Overview
23andMe reported that the breach constituted only 0.1% of its customer base, totaling around 14,000 accounts. While the company stated that the majority of the compromised data included ancestry information, a subset of accounts had health-related information exposed based on users’ genetics. Additionally, the hackers gained access to a substantial number of files containing profile information about users who had opted into 23andMe’s DNA Relatives feature.
The specifics of the “significant number” of files and the impact on these “other users” remain undisclosed by 23andMe. The company did not provide details on the scope of the breach or clarify the extent to which users’ information was compromised.
The breach was executed through a method known as “credential stuffing,” a common technique where cybercriminals utilize known passwords, possibly obtained from other data breaches, to gain unauthorized access to user accounts. 23andMe did not disclose how the attackers obtained the initial set of credentials.
The aftermath of the breach extended beyond the 14,000 users directly affected. 23andMe’s DNA Relatives feature, which allows users to share information with others, meant that the hackers could access the personal data of individuals connected to the initially compromised accounts.
In response to the security incident, 23andMe implemented password resets for affected users and strongly encouraged the adoption of multi-factor authentication. By November 6, the company made two-step verification mandatory for all users, aiming to enhance account security and prevent further unauthorized access.
The breach gained public attention when hackers advertised the alleged data of one million users of Jewish Ashkenazi descent and 100,000 Chinese users on a prominent hacking forum. Subsequently, the same hacker attempted to sell the records of an additional four million users, prompting concerns about the extensive reach of the compromised data.
Following the 23andMe breach, other DNA testing companies, such as Ancestry and MyHeritage, took proactive steps by mandating two-factor authentication for their users. This move reflects a collective effort within the industry to fortify security measures and protect customer data.
Photo: Unsplash
