Tuesday, December 05, 2023
Genetic testing company 23andMe has admitted that there was a substantial data breach, impacting 6.9 million users, as hackers accessed the personal information of the servers in October 2023.
Initially disclosed in October, the breach affected 0.1% of customers, but newly revealed details indicate a much larger scale. In an email to TechCrunch, 23andMe confirmed that hackers accessed data from 5.5 million users who opted-in to the DNA Relatives feature, exposing names, birth years, relationship labels, DNA percentage shared with relatives, ancestry reports, and self-reported locations.
Additionally, about 1.4 million individuals in the same feature had their Family Tree profile information compromised, including display names, birth years, self-reported locations, and sharing preferences.
Despite the significant impact, 23andMe did not disclose these specific numbers initially. The breach, attributed to customers reusing passwords, allowed hackers to brute-force accounts using publicly known passwords from other data breaches.
The DNA Relatives feature, designed to match users with relatives, magnified the breach's impact by exposing the personal data of both the account holder and their relatives when one account was compromised.
The data breach was first publicised in October when a hacker claimed to have stolen 23andMe users' DNA information and offered the alleged data for sale. Subsequent advertisements on hacking forums revealed an extensive compromise, with TechCrunch discovering that leaked data matched information published online by genealogists and hobbyists, indicating the authenticity of at least part of the compromised data.
With the new revelations, the breach is now understood to affect approximately half of 23andMe's reported 14 million customers. The company's delayed disclosure and the magnitude of compromised information raise concerns about the security measures in place and the potential impact on affected individuals.