News Hub

23andMe data breach affects 6.9 million users

Written by Wed 6 Dec 2023

In a recent development concerning the October data breach at genetic testing giant 23andMe, new details reveal a more complex and extensive impact than initially reported.

The breach, which initially seemed to affect a limited number of user accounts, now appears to have compromised the personal data of millions of users.

23andMe first acknowledged the breach in early October, revealing that attackers had gained access to user accounts through its DNA Relatives service. Initially, the extent of the breach was unclear.

However, a recent US Securities and Exchange Commission filing by 23andMe stated that around 0.1% of its 14 million customers, approximately 14,000 accounts, were directly accessed.

The filing said the incident involved ‘a significant number of files containing profile information about other users’ ancestry’.

This number, however, does not fully represent the breadth of the attack, as it did not take into account those impacted by the attacker’s data-scraping from DNA Relatives.

An email from 23andMe spokesperson Katie Watson to TechCrunch confirmed that hacked accessed the personal data of approximately 5.5 million DNA Relatives users and an additional 1.4 million users had their Family Tree profile information accessed.

The compromised data includes names, birth years, relationship labels, DNA percentages shared with relatives, ancestry reports, and other personal information.

Watson said to WIRED: “We are only elaborating on the information included in the SEC filing by providing more specific numbers.”

23andMe maintains that the breach was the result of credential stuffing attacks, where attackers used previously leaked login credentials. Following the breach, the company enforced a mandatory password reset and implemented two-factor authentication for all users. Other genetic testing services have also bolstered their security measures in response.

In response to the breach, 23andMe has also been actively removing the exposed information from public domains and notifying affected users. The company expects to incur significant expenses related to the breach, potentially impacting its financial results.

Multiple class action lawsuits have been filed against 23andMe in various jurisdictions, the outcomes of which remain uncertain.

Join Cloud & Cyber Security Expo

6-7 March 2024, ExCeL London

Cloud & Cyber Security Expo is one of the largest IT security events in Europe.

Don’t miss the chance to build partnerships and discover solutions to protect your business.

Written by Wed 6 Dec 2023

Send us a correction Send us a news tip