US firm attributes security breach to ‘threat actor,’ impacting 50% of 14 million users.
The genetic testing firm 23andMe reported a security breach, impacting nearly 7 million users. Hackers gained access to DNA ancestry information, including a significant number of files with profile data, during an October breach, according to a recent regulatory filing. The document disclosed that “threat actors” accessed personal data of about 14,000 customers, constituting 0.1% of the total affected users.
TechCrunch was informed by the company on Saturday that due to an opt-in feature enabling DNA-related relatives to connect, the actual number of exposed individuals was 6.9 million. This accounts for slightly under half of 23andMe’s reported 14 million customers.
Acknowledging another set of approximately 1.4 million individuals who willingly participated in 23andMe’s DNA relatives feature, the company confirmed that their family tree profile information was also compromised. This data encompassed names, relationship labels, birth years, self-reported locations, and additional details.
In a statement, 23andMe explained, “We became aware that specific 23andMe customer profile information was gathered by accessing individual 23andMe.com accounts. We suspect that the threat actor may have, in violation of our terms of service, unauthorizedly accessed 23andme.com accounts and obtained information from them.”
Two months earlier, Wired reported a data sample from 23andMe accounts being exposed on BreachForums, a black-hat hacking forum. The hackers claimed the sample contained 1 million data points exclusively related to Ashkenazi Jews, with hundreds of thousands of users of Chinese heritage also reportedly affected by the breach.
Subsequently, hackers unveiled 23andMe user data, comprising records of 4 million users. The hackers asserted that the information encompassed individuals from the UK, including some of the “wealthiest people living in the US and western Europe on this list.”
TechCrunch, after analyzing the leaked data, reported that certain records aligned with genetic data previously shared online by hobbyists and genealogists. The outlet, however, suggested that the compromised data was, to some extent, sourced from 23andMe.
Upon the initial disclosure of the breach, the company indicated that it was likely triggered by customers reusing passwords from other data breaches, enabling hackers to employ a method known as “credential stuffing.”
