Posts Tagged: 23andMe

23andMe hackers accessed ancestry information on millions of customers using a feature that matches relatives

An SEC filing has revealed more details on a data breach affecting 23andMe users that was disclosed earlier this fall. The company says its investigation found hackers were able to access the accounts of roughly 0.1 percent of its userbase, or about 14,000 of its 14 million total customers, TechCrunch notes. On top of that, the attackers were able to exploit 23andMe’s opt-in DNA Relatives (DNAR) feature, which matches users with their genetic relatives, to access information about millions of other users. A 23andMe spokesperson told Engadget that hackers accessed the DNAR profiles of roughly 5.5 million customers this way, plus Family Tree profile information from 1.4 million DNA Relative participants.

DNAR Profiles contain sensitive details including self-reported information like display names and locations, as well as shared DNA percentages for DNA Relatives matches, family names, predicted relationships and ancestry reports. Family Tree profiles contain display names and relationship labels, plus other information that a user may choose to add, including birth year and location. When the breach was first revealed in October, the company said its investigation “found that no genetic testing results have been leaked.” 

According to the new filing, the data “generally included ancestry information, and, for a subset of those accounts, health-related information based upon the user’s genetics.” All of this was obtained through a credential-stuffing attack, in which hackers used login information from other, previously compromised websites to access those users’ accounts on other sites. In doing this, the filing says, “the threat actor also accessed a significant number of files containing profile information about other users’ ancestry that such users chose to share when opting in to 23andMe’s DNA Relatives feature and posted certain information online.”

Following the discovery of the breach, 23andMe instructed affected users to change their passwords and later rolled out two-factor authentication for all of its customers. In another update on Friday, 23andMe said it had completed the investigation and is notifying everyone who was affected. The company also wrote in the filing that it “believes that the threat actor activity is contained,” and is working to have the publicly-posted information taken down.

Update, December 2 2023, 7:03PM ET: This story has been updated to include information provided by a 23andMe spokesperson on the scope of the breach and the number of DNA Relative participants affected.

This article originally appeared on Engadget at https://www.engadget.com/23andme-hackers-accessed-ancestry-information-from-thousands-of-customers-and-their-dna-relatives-205758731.html?src=rss
Engadget is a web magazine with obsessive daily coverage of everything new in gadgets and consumer electronics

23andMe user data breached in credential-stuffing attack

Biotech company 23andMe, known for its DNA testing kits, confirmed to BleepingComputer that its user data is circulating on hacker forums. The company said the leak occurred through a credential-stuffing attack.

A credential-stuffing attack involves user information that has already been compromised (usernames and passwords, for example) from one organization, which a hacker obtains and attempts to reuse with a second organization — in this case, 23andMe. Because of the nature of credential-stuffing, it does not appear this was a breach of the company’s internal systems. Rather, accounts were broken into piecemeal. The perpetrators of this attack appear to have obtained quite sensitive information from the compromised accounts (genetic testing results, photos, full names and geographical location, among other things).

The initial leak comprised “1 million lines of data for Ashkenazi people,” according to BleepingComputer. By October 4, data was being offered for sale in bulk, in increments of 100, 1,000, 10,000 or 100,000 profiles. The scale of the attack is as yet unknown, but the scope of its impact has likely been exacerbated by 23andMe’s ‘DNA Relatives’ feature. “Relatives are identified by comparing your DNA with the DNA of other 23andMe members who are participating in the DNA Relatives feature,” the company states. After accessing an unknown number of profiles via credential-stuffing, the threat actor behind this breach apparently scraped the ‘DNA Relatives’ results for those profiles, netting much more sensitive data. According to the same FAQ page, “The number of relatives listed [..] grows over time as more people join 23andMe.” For the fiscal year 2023, the company reported it “genotyped” around 14 million customers.

Ever since 23andMe went public in 2021, the company has faced extra scrutiny for its data protection practices — rightly so, since it deals with sensitive medical data derived from saliva sampling, including predispositions for diseases like Alzheimer’s, Type 2 diabetes and even cancer. On its website the company claims it “exceeds” data protection standards for its industry.

This article originally appeared on Engadget at https://www.engadget.com/23andme-user-data-breached-in-credential-stuffing-attack-231757254.html?src=rss

Engadget is a web magazine with obsessive daily coverage of everything new in gadgets and consumer electronics

California Rep. requests 23andMe to help reunite children with families

California Representative Jackie Speier reportedly asked DNA-testing company 23andMe to help reunite children separated from their parents at the US-Mexico border due to Trump's 'zero tolerance' immigration policies. She told Buzzfeed that she was co…
Engadget RSS Feed