Data Breach at 23andMe Exposes 7 Million Users
23andMe, a prominent DNA testing and ancestry service, has confirmed a significant data breach affecting nearly 7 million of its customers. The breach, which occurred in October, exposed sensitive health-related information, including predispositions to diseases, raising concerns about user privacy and the security of genetic data.
The unauthorized access involved hackers using stolen credentials to compromise approximately 14,000 accounts, constituting 0.1% of the user base. The breach primarily targeted the DNA Relatives feature on the platform, a tool that allows users to explore profiles of individuals they are genetically related to.
Evolution of the Data Leak
Initially reported to impact 5.5 million users through the exposure of DNA Relatives profiles, an additional 1.4 million users were affected by the exposure of Family Tree profiles. The leak, affecting almost 6.9 million customers, resulted from the systematic scraping of information shared by users who had opted into the DNA Relatives feature.
Targeting Specific Communities
The threat actors behind the breach, including an individual with the alias “Golem,” claimed to have specifically targeted communities. Information from over 1 million Ashkenazi Jewish users and 300,000 Chinese users was leaked on October 1. Later, on October 17, data from an additional 4.1 million profiles of British and German customers was reportedly exposed, bringing the total number of affected users to more than 7 million.
Nature of the Leaked Information
The compromised data includes users’ display names, ancestry reports, and sensitive health-related information. Predispositions to diseases such as type 2 diabetes and Parkinson’s, along with carrier status for genetic conditions like cystic fibrosis and Tay-Sachs disease, were among the exposed details.
Response and Mitigation Efforts by 23andMe
23andMe took immediate action by temporarily disabling features within the DNA Relatives tool and working to remove the leaked information from public access. The company emphasized its commitment to notifying affected customers in compliance with legal requirements.
The report from 23andMe states, “As of the filing date of this Amendment, the Company believes that the threat actor activity is contained.” The company also implemented security measures, including a mandatory password reset for all users on October 9 and the encouragement of multi-factor authentication. Further steps were taken on November 6, requiring customers to use email 2-step verification on their accounts. 23andMe clarified that the unauthorized access resulted from credential stuffing attacks, with no indication of a breach within its own systems.
As 23andMe works to contain the aftermath of the breach and enhances its security measures, users are urged to remain vigilant about protecting their online accounts. This incident serves as a reminder of the broader implications of sharing sensitive genetic and health-related data on digital platforms, emphasizing the need for robust security practices in the rapidly evolving landscape of personal genomics.
How to Spot a Email Scam? Email scams are widespread cybercrimes that continue to catch us off guard, despite our awareness of their existence. Having secure email protection measures is a crucial part in combating these threats. According to Verizon’s 2016 Data...
Streamline Your Technology: The Advantages of Managed IT Services for Businesses in Chicago, IL Is your business in Chicago, IL struggling with keeping up with all the tech stuff? Maybe it's time to think about using managed IT services. By getting help from a...
Securing Emails in Chicago Business Hub Email security in Chicago business area involves safeguarding email accounts and messages from unauthorized access, loss, or compromise. Strengthen your email security by implementing policies and utilizing tools to defend...