- 🔒 23andMe experienced a massive breach affecting 6.9 million accounts, nearly 50% of users.
- 🧬 Hackers exploited the DNA Relatives feature, accessing birth details and ancestry information of affected users.
- 💻 Initial access via credential stuffing led to vulnerabilities, allowing hackers to breach a vast user base.
A staggering cybersecurity breach has been confirmed at 23andMe, with more than 6.9 million user accounts compromised. That’s nearly half of the genetic ancestry company’s entire user base of 14 million. This news follows the initial revelation that only a fraction of accounts — approximately 14,000 — had succumbed to unauthorized access.
The breach’s depth extended beyond initial estimations, enveloping data from two distinct user groups who had engaged with 23andMe’s DNA Relatives feature. This interactive tool is designed to connect individuals with lost genetic kin. Users who opt-in for this feature offer personal information such as their birth year, location, known ancestor names, and birth locations.
However, this feature also inadvertently became a gateway for hackers. About 5.5 million users were automatically opted-in for DNA Relatives by default. A smaller 1.4 million user group only shared “Family tree profile information”, including birth year, display names, and relationship labels. The private ancestry information of all the users in both groups was stolen by hackers.
23andMe is a genetic and health testing company that offers individuals the chance to explore their ancestry and genetic traits through a simple DNA test. Users provide a saliva sample, which is analyzed to provide insights into their ethnic background, familial connections, and potential genetic health predispositions. The company uses this genetic data to generate reports on ancestry composition, genetic health risks, carrier status for certain diseases, and other traits influenced by genetics.
Hackers first directly accessed 14,000 accounts using a technique called credential stuffing. This involves exploiting private user information exposed during past data breaches. A lot of people use the same usernames and passwords across platforms, so if these security details were leaked previously, they can be used to access your account on 23andMe if you happen to use the same login credentials.
From this significant yet relatively small data breach involving just 0.1% of 23andMe’s user base, things spiraled out of control. From the accounts they managed to access directly, the hackers could make their way to the DNA Relatives and Family Tree profiles. This is due to a vulnerability in the way the DNA Relatives features match users with their relatives. By hacking one account, the hackers could access the data of both the account holder and their relatives. This is how a 0.1% data breach swelled to cover nearly 50% of all accounts.
Initially, on Friday, 23andMe only reported the data breach of 14,000 individuals. But after TechCrunch journalists made several inquiries with the company, 23andMe confirmed that the hackers extended their tentacles much farther than we were led to believe.
Previously, in October, a hacker made an online post on a forum claiming they possessed data on one million users of Jewish Ashkenazi descent and 100,000 Chinese users from 23andMe. The hacker was advertising selling this database for $1 to $10 for the data per individual account.
Efforts to mitigate the fallout have been multi-pronged. 23andMe initiated notifications to all affected users, a move met with scrutiny given the delay in disclosing precise numbers. The company says it is now bolstering account security by mandating password resets and instituting two-step verification for both existing and new users.
The breach’s aftermath is bound to be costly. Financially, 23andMe anticipates considerable expenses, estimating costs between $1 million to $2 million to address the incident by the fiscal year’s end. Moreover, the company faces a barrage of legal challenges, including class-action lawsuits in various jurisdictions and inquiries from governmental bodies.
The full scope of the breach’s impact, coupled with the potential legal ramifications and financial toll, remains uncertain. Simultaneously, efforts to fortify cybersecurity protocols and reassure users of enhanced protective measures are underway.
