homehome Home chatchat Notifications


Hackers stole ancestry data from 23andMe on nearly 7 million people

A breach at 23andMe exposes millions to a web of compromised genetic and personal data, igniting concerns about digital privacy and security."

Tibi Puiu
December 6, 2023 @ 9:31 pm

share Share

A 23andMe DNA testing kit. Credit: Clay Gregory.
Key takeaways:
  • 🔒 23andMe experienced a massive breach affecting 6.9 million accounts, nearly 50% of users.
  • 🧬 Hackers exploited the DNA Relatives feature, accessing birth details and ancestry information of affected users.
  • 💻 Initial access via credential stuffing led to vulnerabilities, allowing hackers to breach a vast user base.

A staggering cybersecurity breach has been confirmed at 23andMe, with more than 6.9 million user accounts compromised. That’s nearly half of the genetic ancestry company’s entire user base of 14 million. This news follows the initial revelation that only a fraction of accounts — approximately 14,000 — had succumbed to unauthorized access.

The breach’s depth extended beyond initial estimations, enveloping data from two distinct user groups who had engaged with 23andMe’s DNA Relatives feature. This interactive tool is designed to connect individuals with lost genetic kin. Users who opt-in for this feature offer personal information such as their birth year, location, known ancestor names, and birth locations.

However, this feature also inadvertently became a gateway for hackers. About 5.5 million users were automatically opted-in for DNA Relatives by default. A smaller 1.4 million user group only shared “Family tree profile information”, including birth year, display names, and relationship labels. The private ancestry information of all the users in both groups was stolen by hackers.

What is 23andMe?

23andMe is a genetic and health testing company that offers individuals the chance to explore their ancestry and genetic traits through a simple DNA test. Users provide a saliva sample, which is analyzed to provide insights into their ethnic background, familial connections, and potential genetic health predispositions. The company uses this genetic data to generate reports on ancestry composition, genetic health risks, carrier status for certain diseases, and other traits influenced by genetics.

Hackers first directly accessed 14,000 accounts using a technique called credential stuffing. This involves exploiting private user information exposed during past data breaches. A lot of people use the same usernames and passwords across platforms, so if these security details were leaked previously, they can be used to access your account on 23andMe if you happen to use the same login credentials.

From this significant yet relatively small data breach involving just 0.1% of 23andMe’s user base, things spiraled out of control. From the accounts they managed to access directly, the hackers could make their way to the DNA Relatives and Family Tree profiles. This is due to a vulnerability in the way the DNA Relatives features match users with their relatives. By hacking one account, the hackers could access the data of both the account holder and their relatives. This is how a 0.1% data breach swelled to cover nearly 50% of all accounts.

Initially, on Friday, 23andMe only reported the data breach of 14,000 individuals. But after TechCrunch journalists made several inquiries with the company, 23andMe confirmed that the hackers extended their tentacles much farther than we were led to believe.

Previously, in October, a hacker made an online post on a forum claiming they possessed data on one million users of Jewish Ashkenazi descent and 100,000 Chinese users from 23andMe. The hacker was advertising selling this database for $1 to $10 for the data per individual account.

Efforts to mitigate the fallout have been multi-pronged. 23andMe initiated notifications to all affected users, a move met with scrutiny given the delay in disclosing precise numbers. The company says it is now bolstering account security by mandating password resets and instituting two-step verification for both existing and new users.

The breach’s aftermath is bound to be costly. Financially, 23andMe anticipates considerable expenses, estimating costs between $1 million to $2 million to address the incident by the fiscal year’s end. Moreover, the company faces a barrage of legal challenges, including class-action lawsuits in various jurisdictions and inquiries from governmental bodies.

The full scope of the breach’s impact, coupled with the potential legal ramifications and financial toll, remains uncertain. Simultaneously, efforts to fortify cybersecurity protocols and reassure users of enhanced protective measures are underway.

share Share

This 5,500-year-old Kish tablet is the oldest written document

Beer, goats, and grains: here's what the oldest document reveals.

A Huge, Lazy Black Hole Is Redefining the Early Universe

Astronomers using the James Webb Space Telescope have discovered a massive, dormant black hole from just 800 million years after the Big Bang.

Did Columbus Bring Syphilis to Europe? Ancient DNA Suggests So

A new study pinpoints the origin of the STD to South America.

The Magnetic North Pole Has Shifted Again. Here’s Why It Matters

The magnetic North pole is now closer to Siberia than it is to Canada, and scientists aren't sure why.

For better or worse, machine learning is shaping biology research

Machine learning tools can increase the pace of biology research and open the door to new research questions, but the benefits don’t come without risks.

This Babylonian Student's 4,000-Year-Old Math Blunder Is Still Relatable Today

More than memorializing a math mistake, stone tablets show just how advanced the Babylonians were in their time.

Sixty Years Ago, We Nearly Wiped Out Bed Bugs. Then, They Started Changing

Driven to the brink of extinction, bed bugs adapted—and now pesticides are almost useless against them.

LG’s $60,000 Transparent TV Is So Luxe It’s Practically Invisible

This TV screen vanishes at the push of a button.

Couple Finds Giant Teeth in Backyard Belonging to 13,000-year-old Mastodon

A New York couple stumble upon an ancient mastodon fossil beneath their lawn.

Worms and Dogs Thrive in Chernobyl’s Radioactive Zone — and Scientists are Intrigued

In the Chernobyl Exclusion Zone, worms show no genetic damage despite living in highly radioactive soil, and free-ranging dogs persist despite contamination.