23andMe Provides Update On Extent Of Massive Data Breach

The concept of entrusting a tech company with genetic information has long sparked security concerns regarding the business model of platforms like 23andMe. Earlier this year, those misgivings were validated when the DNA testing and ancestry site announced that a hacker had accessed thousands of profiles and stolen a huge amount of personal data.

Even though the breach only directly impacted a small portion of 23andMe’s overall customer base, it included the “DNA Relatives” and “Family Tree” features, which in turn provided access to nearly 7 million accounts.

In a statement following the initial report in October, the company indicated that “no genetic testing results have been leaked.

Last week, however, 23andMe provided a new filing with the U.S. Securities and Exchange Commission, which provides additional details about the scope of the hack. It states that the compromised data “generally included ancestry information, and, for a subset of those accounts, health-related information based upon the user’s genetics.”

Using a strategy known as “credential stuffing,” the hackers were reportedly able to use login information for other websites involved in prior breaches to gain access to 23andMe accounts using the same information.

This process gave the hackers access to “a significant number of files containing profile information about other users’ ancestry that such users chose to share when opting into 23andMe’s DNA Relatives feature,” the company explained.

Much of that data was subsequently posted online, and the SEC filing indicated that the company is currently attempting to remove that information.
As for future threats, 23andMe wrote that it “believes that the threat actor activity is contained.”

The latest hacking incident has sparked a renewed call for tech firms with access to personal information to take more concrete steps toward protecting it.

“I would like to see organizations proactively support their users in avoiding credential stuffing risk — and in the case of 23andMe, the reaction to force password resets could have happened much earlier, as soon as the credential stuffing attack was known,” said SocialProof Security CEO Rachel Tobac shortly after the scheme was exposed. “Eventually I would like organizations to focus on proactive rather than reactive actions to reduce this risk — and reactive responses need to happen quickly.”