23andMe has acknowledged that hackers successfully breached the data of 6.9 million users, shedding light on the scale of the recent security incident.
(Photo : ERIC BARADAT/AFP via Getty Images)
This illustration picture shows a saliva collection kit for DNA testing displayed in Washington DC on December 19, 2018. - Between 2015 and 2018, sales of DNA test kits boomed in the United States and allowed websites to build a critical mass of DNA profiles.
Verifying Security Breach
23andMe has verified that a recent security breach resulted in the exposure of data belonging to 6.9 million users. Andy Kill, the company's spokesperson, communicated that the breach impacted approximately 5.5 million users who had activated the DNA Relatives feature.
The Verge reported that this feature was designed to connect users with similar genetic profiles. Furthermore, an additional 1.4 million individuals experienced unauthorized access to their family tree profiles.
The compromised data includes details such as display names, predicted relationships, shared DNA amounts, ancestry reports, self-reported locations, ancestor birth details, family names, profile pictures, and more.
For the additional 1.4 million users engaged in the DNA Relatives feature, their family tree profiles were accessed. This feature includes display names, relationship labels, birth years, and self-reported locations.
Also Read: DNA Testing Companies Adopt 2-Factor Authentication in Response to 23andMe Data Breach
In a recent filing with the Securities and Exchange Commission (SEC) on December 1st, 23andMe disclosed that the breach resulted from a credential stuffing attack. This type of attack involves using login credentials obtained from other security breaches, often due to password reuse.
The threat actor gained direct access to 0.1 percent of user accounts, equating to roughly 14,000 users. Subsequently, the attackers leveraged the DNA Relatives feature to access additional information from millions of other profiles that shared similar ancestry connections.
The company acknowledged that the hacker successfully accessed a significant number of files through the Relatives feature, although the specific quantity was not disclosed.
Contradicting the assertion that there is no indication of a data security incident within their systems, 23andMe spokesperson Kill stated that they still do not have any indication that there has been a data security incident within their systems, or that 23andMe was the source of the account credentials used in these attacks.
This declaration contrasts with the reality that information from 6.9 million users is now compromised. The majority of those affected had chosen to participate in a feature offered by 23andMe, which failed to prevent the breach by either restricting access to the information or implementing additional account security measures.
Initial Signs
The initial signs of trouble emerged in October when 23andMe confirmed that user information was available for purchase on the dark web, as reported by TechCrunch.
Subsequently, the genetic testing site announced an investigation into a hacker's assertions of leaking 4 million genetic profiles, encompassing individuals from Great Britain and the wealthiest people living in the U.S. and Western Europe.
As part of its response, 23andMe is actively notifying affected users and urging them to reset their passwords. Additionally, the platform has instituted mandatory two-step verification for both new and existing users, a measure that was previously optional.
Related Article: Genetic Testing Firm 23andMe Confirms Hackers Accessed 14,000 Customer Accounts, Including Ancestry Data
