6.9 Million 23andMe Users Affected by Data Breach
The genetic testing company, 23andMe, has confirmed in a recent filing with the Securities and Exchange Commission (SEC) that a hacker gained access to a very small percentage of user accounts. 23andMe has around 14 million users worldwide, and 0.1% of accounts were compromised – approximately 14,000 accounts. However, through those accounts, the hacker obtained the data of around 6.9 million users.
The account breaches first came to light on October 1, 2023, when a hacker claimed in an online forum to have the profile information of millions of 23andMe users. 23andMe launched an investigation into a potential data breach and determined that its own systems had not been compromised. Certain accounts had been accessed in a credential stuffing attack. A credential stuffing attack involves using credentials from data breaches at one or more companies to try to access accounts at another, unrelated company.
Access was gained to the 14,000 accounts as those users had used the password for their 23andMe account at another company that had suffered a data breach and had failed to implement 2-factor authentication for their 23andMe account. The information accessed varied from account to account, and generally included ancestry information and health information based on the user’s genetics.
Those accounts were then used to “access a significant number of files” that included the profiles of other users’ ancestry. The 23andMe DNA Relatives feature allows users to share information with others to find genetic relatives. Through this feature, the 14,000 accounts were used to obtain information from around 5.5 million users. The information obtained varied from user to user, depending on the information they chose to share with others. That information generally included display names, the last login time, the percentage of DNA shared with their DNA relatives’ matches, and the predicted relationship with each person. In some cases, the information also included birth year, geographic information, family tree, and any uploaded photos.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Additionally, the family tree information of a further 1.4 million users who participated in the DNA Relatives feature was compromised. In these cases, the compromised information included display names and relationship labels and, in some cases, display name, geographic location, and birth year. In total, approximately 6.9 million individuals had their data stolen.
23andMe confirmed that notifications have started to be issued but could not say when that process will be completed. Steps have also been taken to improve security, including performing a forced password reset for all users and imposing mandatory 2-step verification for new and current users. The 2-step verification was previously optional. 23andMe estimated the cost of the incident to be between $1 million and $2 million, which has mostly been spent on technology consulting services, legal fees, and expenses of other third-party advisors. The expenses and direct and indirect business impacts of the incident could negatively affect its financial results.
“The real story in the 23andMe hack is the type of data threat actors now have. We’ve become accustomed to stolen SSNs, bank numbers, etc. This is genetic information with all the associated implications (family, familial secrets, health information, etc),”Steve Stone, Head of Rubrik Zero Labs told The HIPAA Journal. “This information could be weaponized in far more impactful ways than a simple public data dump.”