23andMe Data Breach: Hackers Access Thousands of User Accounts
2 min read23andMe, a leading genetic testing company, recently announced a significant data breach that compromised around 14,000 customer accounts. This incident sheds light on the vulnerabilities of personal and genetic information stored online.
Details of the Breach
Scale of the Breach
- Affected Accounts: Hackers accessed approximately 0.1% of 23andMe’s customer base, amounting to around 14,000 accounts.
- Extent of Data Exposure: The breach exposed not only the account holders’ data but also information of users connected through the DNA Relatives feature.
Nature of the Compromised Data
- Ancestry Information: The stolen data generally included ancestry details from the compromised accounts.
- Health-Related Data: A subset of these accounts also had their health-related genetic information accessed.
- Profile Information: Hackers obtained profile details of other users connected to the initial victims through the DNA Relatives feature.
The Technique Used: Credential Stuffing
- Method: Hackers employed “credential stuffing,” using known passwords from other data breaches to access 23andMe accounts.
Impact Beyond Direct Victims
- DNA Relatives Feature: This feature, when opted into, allows sharing of a user’s data with others on the platform. This extended the breach’s impact beyond the directly hacked accounts.
Company’s Response
- Security Measures: In response to the breach, 23andMe enforced password resets and introduced mandatory two-step verification for all users.
- Industry Reaction: Other DNA testing companies like Ancestry and MyHeritage also started mandating two-factor authentication following the incident.
Analysis of the Breached Data
- TechCrunch Investigation: TechCrunch analyzed the stolen data, comparing it to public genealogy records and confirming matches with previously published information.
- Scale of Exposed Data: The initial breach reports in October mentioned the targeting of specific ethnic groups. Later, it was revealed that the data of millions more users were potentially compromised and advertised for sale on hacking forums.
The Broader Context
- Ransom Demands: Hackers sought up to $50 million for the entire database or smaller amounts for subsets of the data.
- Previous Incidents: The data breach at 23andMe highlights the ongoing concerns regarding the security of sensitive genetic information stored by such companies.
Conclusion
The 23andMe data breach underscores the importance of robust cybersecurity measures in protecting sensitive personal and genetic information. As genetic testing becomes more prevalent, such incidents raise critical questions about data privacy and security in the digital age.