Genetic testing company 23andMe admitted hackers accessed the personal data of approximately 14,000 individuals, 0.1% of its customers.
According to TechCrunch, the company said that “hackers were also able to access ‘a significant number of files containing profile information about other users’ ancestry.'”
In total, the data breach impacted about 6.9 million users.
Genetic testing firm 23andMe admits hackers accessed DNA data of 7m users https://t.co/4qsbtM0DNH
— Guardian US (@GuardianUS) December 5, 2023
In an email sent to TechCrunch late on Saturday, 23andMe spokesperson Katie Watson confirmed that hackers accessed the personal information of about 5.5 million people who opted-in to 23andMe’s DNA Relatives feature, which allows customers to automatically share some of their data with others. The stolen data included the person’s name, birth year, relationship labels, the percentage of DNA shared with relatives, ancestry reports and self-reported location.
23andMe also confirmed that another group of about 1.4 million people who opted-in to DNA Relatives also “had their Family Tree profile information accessed,” which includes display names, relationship labels, birth year, self-reported location and whether the user decided to share their information, the spokesperson said. (23andMe declared part of its email as “on background,” which requires that both parties agree to the terms in advance. TechCrunch is printing the reply as we were given no opportunity to reject the terms.)
It is also not known why 23andMe did not share these numbers in its disclosure on Friday.
Considering the new numbers, in reality, the data breach is known to affect roughly half of 23andMe’s total reported 14 million customers.
Who are they looking for?
Hackers access data of 6.9M 23andMe users. China owned company… pic.twitter.com/AuYlZOfCnx
— cagrown5 (@cagrown5) December 5, 2023
“We were made aware that certain 23andMe customer profile information was compiled through access to individual 23andMe.com accounts,” 23andMe said in a statement.
“We believe that the threat actor may have then, in violation of our terms of service, accessed 23andme.com accounts without authorization and obtained information from those accounts,” it added.
The Guardian added:
Two months ago, Wired reported that a sample of data points from 23andMe accounts were exposed on BreachForums, a black-hat hacking crime forum.
The hackers claimed the sample contained 1m data points exclusively about Ashkenazi Jews. According to the outlet, there also seemed to be hundreds of thousands of users of Chinese heritage affected by the leak.
Hackers then began selling 23andMe profiles for between $1 and $10 per account, with information revealed that included some details about genetic ancestry results, like “broadly European” or “broadly Arabian”.
Later, hackers released 23andMe user information containing records of 4 million users. The hackers claimed the information included people from the UK with some of the “the wealthiest people living in the US and western Europe on this list”.
TechCrunch said it had analysed the leaked data and determined that some records matched genetic data published online by hobbyists and genealogists. But the outlet also suggested the hacked data was at least in part from 23andMe.Advertisement
When the company first disclosed the breach, it said it was likely that it was caused by customers reusing passwords that have already appeared in other data breaches, allowing hackers to use a technique known as “credential stuffing”.