Genetic testing company 23andMe has revealed that hackers gained unauthorized access to a “significant number” of files containing profile information about users’ ancestry. In a recent data breach, the company determined that approximately 14,000 customer accounts, which accounts for 0.1% of its customer base, were compromised. The breach occurred due to a technique known as “credential stuffing,” where cybercriminals exploit known passwords to gain unauthorized access to user accounts.
Key Takeaway
Approximately 14,000 customer accounts were compromised in 23andMe’s recent data breach, allowing hackers to access a significant number of files containing profile information about users’ ancestry. The stolen data includes both ancestry and health-related information for some accounts. 23andMe has taken immediate action to enhance security measures and has prompted other DNA testing companies to follow suit.
Extent of the Breach
Although 23andMe did not specify the exact number of files accessed or the number of users impacted, it is evident that the breach has potentially exposed personal information belonging to users who had opted into the company’s DNA Relatives feature. This feature allows users to share their information with others connected to them. Consequently, the hackers who breached one victim’s account were able to access personal data pertaining to the people connected to that account.
Stolen Data
The stolen data primarily consisted of ancestry information. However, for a subset of accounts, health-related information based on the users’ genetics was also compromised. The company acknowledged that certain information was posted online by the hackers but did not disclose the specifics.
Response and Security Measures
Following the breach, 23andMe took immediate action to protect its users. On October 10, all users were prompted to reset their passwords, and the company encouraged the adoption of multi-factor authentication. Subsequently, on November 6, the company made two-step verification mandatory for all users. These measures aim to enhance the security of user accounts and prevent unauthorized access in the future.
Industry-Wide Impact
The 23andMe data breach has prompted other DNA testing companies, such as Ancestry and MyHeritage, to take similar steps towards improving security. These companies have also implemented mandatory two-factor authentication to protect their customers’ information.