Nearly 7 million clients of a genetic testing and biotechnology company 23andMe fell victim to a data leak in October. Hackers got unauthorized access and extracted profile data, affecting a significant portion of the company’s user base.
Hackers Gain Access to Sensitive Data in 23andMe Database
In a startling revelation, genetic testing and biotechnology company 23andMe confirmed on Monday that nearly 7 million customers fell victim to a data leak in October. The expansive cybersecurity incident involved the unauthorized access and extraction of user profile data, affecting a significant portion of the company’s total customer base.
In brief, hackers targeted the data of a service called DNA Relatives, scraping information such as display names, ancestry reports, and sensitive health-related data. The compromised information includes sensitive health data, allowing for enormously wide analysis. Reports also disclose a user’s gene carrier status for diseases like cystic fibrosis, Tay-Sachs type 2 diabetes, and Parkinson’s disease.
23andMe Hacked in October
The breach began in early October when hackers could directly access 14,000 23andMe customer accounts. Crooks used credentials stolen from unrelated third-party breaches. While the source of this information is not specified (though we know what is behind all this), 23andMe clarifies that there was no indication that their systems had been compromised.
Next, hackers targeted the DNA Relatives feature, scraping information such as display names, ancestry reports, and sensitive health-related data. The total number of exposed users grew to 6.9 million. It was possible with each compromised account potentially connected to hundreds or thousands of relatives.
Who is under attack?
According to the company’s claims, an average 23andMe account had access to information from 1,500 DNA relatives. In other words, attackers used it to leverage these accounts to scrape genetic data from 5.5 million DNA relatives’ leaked profiles, and an additional 1.4 million had their Family Tree profiles exposed.
Of the nearly 7 million users affected, 1 million were of Ashkenazi Jewish descent, and 300,000 were Chinese heritage users. This suggests that these communities were explicitly targeted for their ancestral data. More reported 4.1 million leaked profiles belonged to British and German 23andMe consumers. The breach exposed customer display names, ancestry reports, and sensitive health information.
Official reaction
Upon discovering suspicious activity, 23andMe reset all user passwords on October 9th. The company is also in the process of notifying affected customers and complying with legal requirements. Moreover, they have temporarily taken steps to disable certain features within the DNA Relatives tool.
As for really effective measures, since then, multi-factor or two-factor authentication has been mandated for all accounts (isn’t such sensitive information not required this before?). The problem was that users didn’t place much importance on protecting their accounts. As a result with 14k accounts, the attackers were able to hit a jackpot of 6.9 million accounts.