Notifications

Loading…

Hackers Gained Access to Genetic Profiles of Thousands More in 23andMe Breach

23andMe data breach

Genetic testing company 23andMe disclosed new details on Friday about the data breach it experienced in October, revealing that the breach impacted a far greater number of users than previously reported.

In an updated filing with the U.S. Securities and Exchange Commission (SEC), published on Friday, 23andMe stated that based on its investigation into the incident, it had determined that hackers had accessed 0.1% of its customer base by using credential stuffing attacks.

However, by gaining access to those accounts, the hackers were also able to access genetic profiles and ancestry information of a "significant number" of additional 23andMe users.

"Based on its investigation, 23andMe has determined that the threat actor was able to access a very small percentage (0.1%) of user accounts in instances where usernames and passwords that were used on the 23andMe website were the same as those used on other websites that had been previously compromised or were otherwise available (the “Credential Stuffed Accounts”)."

"The information accessed by the threat actor in the Credential Stuffed Accounts varied by user account, and generally included ancestry information, and, for a subset of those accounts, health-related information based upon the user’s genetics. Using this access to the Credential Stuffed Accounts, the threat actor also accessed a significant number of files containing profile information about other users’ ancestry that such users chose to share when opting in to 23andMe’s DNA Relatives feature and posted certain information online."

"We are working to remove this information from the public domain. As of the filing date of this Amendment, the Company believes that the threat actor activity is contained." - SEC doc reads.

This occurred through 23andMe's DNA Relatives feature, which allows users to opt-in to connect and share ancestry information with other users who share DNA. So while 0.1% of accounts were directly compromised, the hackers gained access to sensitive genetic data of many more individuals through their connections to those account holders.

23andMe did not provide the specific number of how many additional users had their information compromised. However, the company mentioned that 23andMe is in the process of providing notification to users impacted by the incident as required by applicable law.

Hacker Activity Believed to Be Contained

The company stated that it believes the hackers' activity has now been contained. Steps it has taken to improve security following the breach include:

  • Requiring all users to reset passwords and set up two-factor authentication
  • Enabling two-factor authentication by default for all new user signups

Legal and Financial Fallout

As a result of the breach, 23andMe is facing multiple class action lawsuits in the U.S. and Canada. The company expects to incur $1-2 million in expenses related to the breach this quarter, from consulting, legal, and other advisory services.

The full financial impacts of the breach remain unclear, though 23andMe stated it could negatively impact financial results for the 2024 fiscal year.

While 23andMe believes its investigation into the breach is now complete, it said new information may still emerge that alters its understanding of the scope and impacts of the incident.

In early October, 23andMe disclosed an incident in which hackers had stolen some users’ data using a common technique known as “credential stuffing,” whereby cybercriminals hack into a victim’s account by using a known password, perhaps leaked due to a data breach on another service.

Read Also
Post a Comment