On Friday, the direct-to-consumer genetic testing company, 23andMe, confirmed that hackers gained access to the personal information of approximately 6.9 million customers in an October 2023 cyberattack. The incident came to light when a hacker posted on an online forum claiming they had obtained the profile information of millions of users and offered the data for sale. 23andMe investigated to determine the validity of the claims and determined that this was not a breach of 23andMe systems. The hacker had conducted a credential stuffing attack,
In a filing with the U.S. Securities and Exchange Commission (SEC), 23andMe confirmed that this was a credential stuffing attack, where passwords were obtained in attacks on other platforms and were used to access accounts on 23andMe. 23andMe confirmed that the hacker used credential stuffing to the accounts of around 0.1% of user accounts, which is around 14,000 users. Then, via the DNA Relatives feature, which allows users to identify matches with other users to indicate possible genetic relationships, the hackers were able to gain access to millions of other profiles. Overall, the hacker was able to access the personal information of 5.5 million users via the DNA Relatives feature and a further 1.4 million family tree profiles – 6.9 million in total.
The 5.5 million individuals had information exposed such as display name, predicted relationship with other users, the amount of DNA users share with matched users, ancestry reports, self-reported locations, ancestor birth locations, family names, profile pictures, and more. The 1.4 million users had their family trees exposed, which included display names, relationship labels, birth years, and self-reported locations.
23andMe said its investigation has uncovered no evidence of a security incident involving 23andMe systems. The attack worked because many people reuse passwords across multiple online accounts and had failed to implement the multi-factor authentication that 23andMe offered. In short, the breach was due to the poor security practices of its users; however, questions have been asked about the privacy and security features of the DNA Relatives feature, and whether 23andMe had done enough to prevent a breach of this nature or at least limit the extent of the breach, since the hacker exploited the poor password practices of 14,000 users, yet the breach affected 6.9 million people.
23andMe said notifications are still being sent to the affected individuals but could not give a time frame for when that process will be completed. 23andMe has also confirmed that it has made security enhancements. Warnings have been sent to all users to reset their passwords, and there is now a mandatory two-step verification process for new and existing users, which was previously only optional.