In a significant security breach, hackers have gained unauthorized access to the personal information of approximately 6.9 million users of the genetic testing company 23andMe. The breach involved the exploitation of customers’ old passwords, leading to the compromise of family trees, birth years, and geographic locations, according to the company’s recent statement.
While the biotechnology giant, headquartered in South San Francisco, clarified that its own systems were not hacked, cybercriminals managed to infiltrate around 14,000 individual accounts, equivalent to 0.1% of its customer base. The perpetrators utilized email and password details previously exposed in other security incidents.
The stolen data, however, does not include DNA records, as 23andMe emphasizes. The company, renowned in the ancestor-tracing industry, provides genetic testing services that offer ancestry breakdowns and personalized health insights based on DNA analysis.
The breach became apparent after weeks of speculation, with more than half of 23andMe’s customers affected. Tech Crunch initially reported the incident. The cybercriminals, after accessing the compromised accounts, were able to navigate to a substantial number of files containing profile information about other users’ ancestry. This included details like names, family links, birth years, locations, pictures, addresses, and the percentage of DNA shared with relatives.
Notably, the hackers targeted the family tree profile information of approximately 1.4 million customers participating in the DNA relatives feature, revealing display names and relationship labels. This revelation raises concerns about potential targeted attacks, as one dataset was advertised on a hacking forum as a list of people with Jewish ancestry.
Despite these unsettling developments, there is currently no evidence that any of the datasets have been purchased or utilized by criminals. 23andMe, as a response to the breach, is notifying all affected customers, as mandated by law. Additionally, the company is enforcing password changes and urging users to enhance their account security measures.
Oz Alashe, CEO of CybSafe, a risk management platform, emphasized the broader lesson from this breach, stating, “Poorly secured accounts, with weak passwords and no two-factor authentication, put all those sharing their sensitive data at risk.”
The incident underscores the critical need for improved cybersecurity practices among the general population to mitigate the risk of data breaches and unauthorized access to personal information.