23andMe Hackers Accessed Sensitive Information Of Millions Of Customers

The Genetic testing company 23andMe recently admitted in a filing with the U.S. Securities and Exchange Commission (SEC) that a major data breach resulted in the information of over one million customers being accessed.

23andMe, a prominent ancestry testing and analysis company, recently underwent a major data breach. Per the SEC filing, the breach allowed hackers to access about 0.1% of the company’s customers or 14,000 of the 14 million individuals who use the famed ancestry company.

Not only that, but the hackers gained access to 23andMe’s DNA Relatives (DNAR) feature, which is responsible for matching users with their genetic relatives. Such an action paved the way for the hackers to access the information of millions of customers.

A spokesperson for 23andMe told Engadget that hackers were able to access the DNAR profiles of over 5 million individuals, along with the Family Tree profile information of 1.4 million DNA Relative participants.

The information accessed includes users’ display names, locations, shared DNA percentages for DNA relative analysis, family names, possible relationships, and ancestry reports. The Family Tree profiles contained information about a customer’s date of birth and location.

In October 2023, when the breach was first reported, 23andMe launched an investigation into the matter but “found that no genetic testing results have been leaked.”

In the company’s new SEC filing, it said that the data “generally included ancestry information, and, for a subset of those accounts, health-related information based upon the user’s genetics.”

The breach was carried out using a credential-stuffing attack, which involved the hackers using login credentials from other compromised websites to gain access to 23andMe accounts.

As a result, “the threat actor also accessed a significant number of files containing profile information about other users’ ancestry that such users chose to share when opting into 23andMe’s DNA Relatives feature and posted certain information online.”

After the breach was discovered, 23andMe advised its customers to change their login credentials. The company later activated two-factor authentication for its users. On Dec. 1, 2023, 23andMe said it was notifying all those affected in the matter and that it “believes the threat actor activity is contained.”