23andMe recently disclosed a data breach wherein hackers gained unauthorized access to approximately 14,000 customer accounts, constituting 0.1% of its extensive customer base. This incident, unveiled in early October, highlighted the exploitation of a technique known as “credential stuffing,” where hackers infiltrate an account by utilizing a known password, potentially leaked from other breaches.
23andMe says hackers accessed files about users’ ancestry
The compromised data encompassed ancestry information for the initial 14,000 users. For a subset of these accounts, health-related information based on users’ genetics was also exposed. The breach’s ramifications, however, extended beyond the directly affected customers. This is due to 23andMe’s DNA Relatives feature, which enables users to share specific information with others who have opted into the feature, creating a network of interconnected profiles.
Consequently, by accessing one victim’s account, hackers could potentially view the personal data of individuals linked to that initial victim. While the company did not provide precise figures beyond the initial 14,000, it acknowledged that a “significant number” of files containing profile information about other users’ ancestry were compromised. Notably, 23andMe did not respond to inquiries seeking clarification on these figures, leaving users concerned about the scope of the breach.
The breach prompted immediate action from 23andMe, urging users to reset and change their passwords. Furthermore, the company advocated for the implementation of multi-factor authentication, a crucial step in enhancing security. By November 6, the company took a more assertive stance, requiring all users to use two-step verification, further fortifying the protection of user accounts. An analysis of the stolen data, later advertised on hacking forums, indicated that it included information about users’ genetic ancestry.
Ramifications of the attack and industry reactions
Some data sets matched details found in public genealogy records, suggesting that the exposed information might have been circulating online for years. The situation was exacerbated by a hacker’s attempt to sell the alleged records of millions of users, with prices ranging from $1 to $10 per individual. The breach initially came to public attention when hackers advertised the data of one million users of Jewish Ashkenazi descent and 100,000 Chinese users on a well-known hacking forum.
Subsequently, the same hacker expanded the offer to include an additional four million user records. Disturbingly, another hacker on a different forum had previously claimed to possess a massive 300 terabytes of stolen 23andMe user data, seeking a significant sum for the entire database or offering subsets for sale. In response to this widespread data exposure, 23andMe’s security measures evolved. The forced password resets and the encouragement of multi-factor authentication were initial steps to mitigate the breach’s impact.
The subsequent mandatory implementation of two-step verification aimed to enhance user security and prevent unauthorized access. The repercussions of the 23andMe breach extended beyond the company itself. In the aftermath, other DNA testing companies, such as Ancestry and MyHeritage, also took steps to fortify their security measures by mandating two-factor authentication for their users. This incident underscored the growing challenges faced by companies dealing with sensitive genetic and personal data, emphasizing the need for robust cybersecurity measures to protect user information from malicious actors.