Data Breach at 23andMe Exposes 7 Million Users
23andMe, a prominent DNA testing and ancestry service, has confirmed a significant data breach affecting nearly 7 million of its customers. The breach, which occurred in October, exposed sensitive health-related information, including predispositions to diseases, raising concerns about user privacy and the security of genetic data.
The unauthorized access involved hackers using stolen credentials to compromise approximately 14,000 accounts, constituting 0.1% of the user base. The breach primarily targeted the DNA Relatives feature on the platform, a tool that allows users to explore profiles of individuals they are genetically related to.
Evolution of the Data Leak
Initially reported to impact 5.5 million users through the exposure of DNA Relatives profiles, an additional 1.4 million users were affected by the exposure of Family Tree profiles. The leak, affecting almost 6.9 million customers, resulted from the systematic scraping of information shared by users who had opted into the DNA Relatives feature.
Targeting Specific Communities
The threat actors behind the breach, including an individual with the alias “Golem,” claimed to have specifically targeted communities. Information from over 1 million Ashkenazi Jewish users and 300,000 Chinese users was leaked on October 1. Later, on October 17, data from an additional 4.1 million profiles of British and German customers was reportedly exposed, bringing the total number of affected users to more than 7 million.
Nature of the Leaked Information
The compromised data includes users’ display names, ancestry reports, and sensitive health-related information. Predispositions to diseases such as type 2 diabetes and Parkinson’s, along with carrier status for genetic conditions like cystic fibrosis and Tay-Sachs disease, were among the exposed details.
Response and Mitigation Efforts by 23andMe
23andMe took immediate action by temporarily disabling features within the DNA Relatives tool and working to remove the leaked information from public access. The company emphasized its commitment to notifying affected customers in compliance with legal requirements.
The report from 23andMe states, “As of the filing date of this Amendment, the Company believes that the threat actor activity is contained.” The company also implemented security measures, including a mandatory password reset for all users on October 9 and the encouragement of multi-factor authentication. Further steps were taken on November 6, requiring customers to use email 2-step verification on their accounts. 23andMe clarified that the unauthorized access resulted from credential stuffing attacks, with no indication of a breach within its own systems.
As 23andMe works to contain the aftermath of the breach and enhances its security measures, users are urged to remain vigilant about protecting their online accounts. This incident serves as a reminder of the broader implications of sharing sensitive genetic and health-related data on digital platforms, emphasizing the need for robust security practices in the rapidly evolving landscape of personal genomics.
Related Articles
Google’s Gemini Chatbot Is More Widely Available and Faster
In this digital era, providers of online services are only as good as their recent updates, performance speeds, and groundbreaking technology. As a business owner, you’ve probably noticed this. For instance, you'll switch over if you’re using a certain company’s...
Wearable Technology: Enhancing Employee Productivity and Health
If you have a smartwatch on your wrist, you're not alone: Millions of people wear watches that do much more than tell time. Smartwatches can help communicate, find information, and monitor your health with sensors that measure everything from how many steps you take...
The Benefits of Digital Payment Systems for Businesses
While much of the discussion of digital payment systems focuses on consumer benefits, the technology also offers many advantages to businesses. From providing greater convenience to your customers with cashless transactions via mobile payments or tap-to-pay options to...