Data Breach at 23andMe Exposes 7 Million Users

23andMe, a prominent DNA testing and ancestry service, has confirmed a significant data breach affecting nearly 7 million of its customers. The breach, which occurred in October, exposed sensitive health-related information, including predispositions to diseases, raising concerns about user privacy and the security of genetic data.

The unauthorized access involved hackers using stolen credentials to compromise approximately 14,000 accounts, constituting 0.1% of the user base. The breach primarily targeted the DNA Relatives feature on the platform, a tool that allows users to explore profiles of individuals they are genetically related to.

Evolution of the Data Leak

Initially reported to impact 5.5 million users through the exposure of DNA Relatives profiles, an additional 1.4 million users were affected by the exposure of Family Tree profiles. The leak, affecting almost 6.9 million customers, resulted from the systematic scraping of information shared by users who had opted into the DNA Relatives feature.

Targeting Specific Communities

The threat actors behind the breach, including an individual with the alias “Golem,” claimed to have specifically targeted communities. Information from over 1 million Ashkenazi Jewish users and 300,000 Chinese users was leaked on October 1. Later, on October 17, data from an additional 4.1 million profiles of British and German customers was reportedly exposed, bringing the total number of affected users to more than 7 million.

Nature of the Leaked Information

The compromised data includes users’ display names, ancestry reports, and sensitive health-related information. Predispositions to diseases such as type 2 diabetes and Parkinson’s, along with carrier status for genetic conditions like cystic fibrosis and Tay-Sachs disease, were among the exposed details.

Response and Mitigation Efforts by 23andMe

23andMe took immediate action by temporarily disabling features within the DNA Relatives tool and working to remove the leaked information from public access. The company emphasized its commitment to notifying affected customers in compliance with legal requirements.

The report from 23andMe states, “As of the filing date of this Amendment, the Company believes that the threat actor activity is contained.” The company also implemented security measures, including a mandatory password reset for all users on October 9 and the encouragement of multi-factor authentication. Further steps were taken on November 6, requiring customers to use email 2-step verification on their accounts. 23andMe clarified that the unauthorized access resulted from credential stuffing attacks, with no indication of a breach within its own systems.

As 23andMe works to contain the aftermath of the breach and enhances its security measures, users are urged to remain vigilant about protecting their online accounts. This incident serves as a reminder of the broader implications of sharing sensitive genetic and health-related data on digital platforms, emphasizing the need for robust security practices in the rapidly evolving landscape of personal genomics.