US: 23andMe sees personal data on 6.9 million customers stolen by hackers

Hackers stole personal data belonging to 6.9 million people who used services from the genetic testing company 23andMe in October, a company spokesperson confirmed to Axios on Monday.

Why it matters: The personal data, including ancestry reports, some DNA data, birthdates, self-reported location and profile pictures, went up for sale on a popular hacking forum following the breach, according to TechCrunch, which first reported the number of users affected.

  • The compromised information, combined with personal information potentially stolen through separate attacks, can help other hackers commit forms of identity theft, like fraudulently opening credit cards or taking out loans.
  • As proof that they stole the personal data, hackers published an initial sample of 1 million data points about users with Ashkenazi Jewish heritage, including people’s full names, birth years, location information and more.
  • They also reportedly published a separate sample with information about more than 300,000 users with Chinese heritage.

A 23andMe spokesperson said the company believes hackers were able to gain access to the data through a small number of customers reusing passwords that were compromised through separate breaches on other websites.

  • Initially, fewer than 14,000 23andMe accounts were compromised through a credential-stuffing attack, the spokesperson said.
  • However, because those accounts were linked to the user’s DNA relatives, the hackers were able to access the personal data of a large portion of the company’s customers.
  • The 6.9 million people represent almost half of the company’s over 14 million customers worldwide.
  • In response to the breach, 23andMe required all users to reset their passwords and will now require customers to protect their accounts with two-factor authentication, a security measure requiring users to sign in using both a password and another device.

The company first disclosed the data leak in early October.

  • Last week, it said hackers accessed the personal data of 0.1% of customers, or about 14,000 individuals and “a significant number of files containing profile information about other users’ ancestry,” according to TechCrunch.
  • It’s unclear why 23andMe did not share the total number of affected users in last week’s disclosure.

National Association of Drug Diversion Investigators Federal Tax ID: 52-1660752 / DUNS Number: 073539913

Copyright © 2024 - NADDI. All Rights Reserved. Privacy Policy / Trademark Policy / Copyright Policy / Refund Policy

Log in with your credentials


Forgot your details?

Create Account