News Hub

23andMe hack: What happened to genetic data from millions of users?

Written by Fri 13 Oct 2023

Genetic testing company 23andMe confirmed a hack in which data from millions of users had been stolen.

Whilst the company said its systems were not breached, genetic information from 23andMe accounts appeared to be posted online by hackers. 

“We do not have any indication at this time that there has been a data security incident within our systems, or that 23andMe was the source of the account credentials used in these attacks,” said 23andMe on Friday 6 October.

But how did the hackers gain access to the genetic information and what did they do with it?

How did the 23andMe Hack Occur? 

23andMe believed threat actors were able to access certain accounts in instances where users recycled login credentials.

Specifically, this occurred when the same usernames and passwords used on 23andMe.com matched those used on other websites that had suffered prior security breaches. This is known as credential stuffing.

“The threat actor may have then, in violation of our Terms of Service, accessed 23andMe.com accounts without authorisation and obtained information from certain accounts, including information about users’ DNA Relatives profiles, to the extent a user opted into that service,” said 23andMe in a statement.

The DNA Relatives feature allows users to connect with other people with similar genetic information to help construct their family tree. This allowed hackers to collect data from 23andMe about individuals whose accounts were not compromised.

What Did the Hackers do With 23andMe Genetic Information?

Wired reported hackers posted an initial data sample on BreachForums, claiming it contained 1 million data points about Ashkenazi Jews. Users of Chinese descent were also impacted by the leak, with thousands of people affected.

On 4 October, the threat actor started selling 23andMe profiles. Profiles were priced at £0.82 ($1) to £8.16 ($10) per account, depending on the quantity purchased.

Profile data contained the user’s display name, gender, birth year, and genetic ancestry details, possibly including specific geographic ancestry information. Raw genetic information was not thought to be part of this information.

Information on their profile ID, account ID, name, sex, birth year, current location, and fields known as ‘ydna’ and ‘ndna’ were included.

It is unknown what these fields refer to. ‘Ydna’ could refer to YDNA, which is DNA inherited by men from their fathers. ‘Ndna’ could refer to Nuclear DNA (nDNA) which is used in forensic DNA testing.

Data posted by the threat actor was said to include entries for celebrities such as Mark Zuckerberg, Elon Musk, and Sergey Brin. But it not also known if the information within the posted celebrity entries is legitimate or falsified.

What is BreachForums?

BreachForums is a major hacking forum and marketplace for cybercriminals that claims to have more than 340,000 members.

Members are known to share information about data breaches, distribute stolen data, and share hacking tools.

In March 2023, BreachForums was shut down on the clear web and dark web following the arrest of its owner, Conor Brian Fitzpatrick who allegedly operated the platform.

The platform frequently sold stolen items, including bank account details, social security numbers, personal identification info, IDs, hacking tools, breached databases, services for unauthorised system access, and compromised online account login info.

The forum was later reopened on the dark web under the ownership of ShinyHunter, a hacking group.

How Did 23andMe Respond to the Hack? 

On Monday, 23andMe issued a statement, saying that it has begun an immediate investigation after discovering the hack.

“Our investigation continues and we have engaged the assistance of third-party forensic experts. We are also working with federal law enforcement officials,” said 23andMe.

The company required all users to reset their passwords, and encouraged the use of multi-factor authentication (MFA).

23andMe said if they learn that a customer’s data has been accessed without their authorisation, they will notify the victim directly with more information.

The Dangers of DNA Databases

The incident raises concerns about the security of genetic information stored in testing services designed for sharing and connecting with potential relatives.

“The fact that accounts had reportedly opted into the ‘DNA Relatives’ feature is particularly concerning as it could potentially result in extremely sensitive information becoming public,” said Brett Callow, Threat Analyst at Emsisoft, in an interview with Wired.

Platforms like 23andMe share similar data privacy and security issues as social media sites. With platforms that contain personal user information comes the danger of data scraping – a technique used to extract information or data from websites.

Data scraping can be performed using specialised software or programming scripts. It can involve analysing and extracting data from the HTML structure of web pages. Typically, data scraping is used for data analysis and research, however, it can be used by hackers to steal information from users of a website.

The compromise of 23andMe accounts underscores the need for individuals to use unique and secure login credentials for different online accounts to mitigate the risk of such attacks. The 23andMe attack also highlighted the risks associated with centralising sensitive data, and the need for robust security measures to protect it from potential misuse.

Hungry for more tech news?

Sign up for your weekly tech briefings!

Written by Fri 13 Oct 2023

Send us a correction Send us a news tip