After millions of users had their ancestry data exposed online, 23andMe’s investigation revealed that hackers accessed only “a very small percentage” of accounts to scrape user data.
23andMe, one of the most popular direct-to-consumer genetic testing services, has determined that hackers only accessed around 0.1% of user accounts. In those instances, duplicate usernames and passwords were reused on the 23andMe website, which were compromised or otherwise available on other websites, according to the company’s filing with the SEC.
According to its latest report, 23andMe has a customer base of over 14 million genotyped customers, meaning that hackers may have accessed around 14,000 accounts.
The illicit practice is known as a credential-stuffing attack, allowing hackers to access sensitive information without an actual breach into the target systems.
“Using this access to the credential stuffed accounts, the threat actor also accessed a significant number of files containing profile information about other users’ ancestry that such users chose to share when opting into 23andMe’s DNA Relatives feature and posted certain information online,” 23andMe announced.
The company is also working to remove the information from the public domain and believes that “threat actor activity is contained.”
A threat actor under the alias Golem claimed to have obtained data from 7 million 23andMe users on October 1st. He shared samples of data on the cybercrime marketplace BreachForums, which contained entries for name, sex, age, location, ancestry markers such as lineage, yDNA, and mtDNA haplogroups (traces paternal and maternal ancestry), and others.
The first leak allegedly included 1 million Jewish Ashkenazi descent “celebrities,” and another contained more than four million people, most of whom are allegedly from the United Kingdom. The original posts on the forum have since been deleted. However, other forum members repost the data repeatedly.
23andMe reported on October 10th that malicious actors accessed and downloaded “certain user profile information, which a 23andMe user creates and chooses to share with their genetic relatives in 23andMe’s DNA Relatives feature.”
“The information accessed by the threat actor in the credential stuffed accounts varied by user account and generally included ancestry information, and, for a subset of those accounts, health-related information based upon the user’s genetics.”
23andMe expects that the direct and indirect impact of the incident could negatively affect its financial results. The company expects somewhere between $1 million and $2 million in one-time expenses related to the incident during its fiscal quarter ending December 31st.
Those immediate costs primarily consist of technology consulting services, legal fees, and expenses of other third-party advisors. The full scope of the costs and impacts still cannot be estimated as the company faces claims from users and authorities.
“Multiple class action claims have been filed against the Company in federal and state court in California and state court in Illinois, as well as in British Columbia and Ontario, Canada, which the Company is defending. These cases are at an early stage, and the Company cannot predict the outcome,” the filing reads.
After the incident, 23andMe required all users to reset their passwords and introduced compulsory two-step verification for all users.
“23andMe confirmed over the weekend that more than 6 million users were affected by a breach that occurred in early October. This confirmation occurred after the company announced that hackers accessed the data of 14,000 individuals along with the information of “other users.” The 5.5 million other users were hacked through 23andMe’s DNA Relatives feature, and an additional 1.4 million others had their family tree information accessed through the feature,” said Nick Tausek, Lead Security Automation Architect at Swimlane. “Companies that have access to the sensitive genetic information of millions of individuals must prioritize their cybersecurity defenses.”
Your email address will not be published. Required fields are markedmarked