23andMe said that data from 6.9 million users was leaked in a recent security breach. According to company spokesperson Andy Kill, about 5.5 million users with DNA Relatives enabled were affected. This feature matches users with similar genetic backgrounds. Additionally, 1.4 million people had their family tree profiles accessed.
In a filing with the Securities and Exchange Commission (SEC) and an update to a blog post on December 1st, 23andMe explained that a threat actor used a credential stuffing attack. This involves logging in with information obtained from other security breaches, often because of reused passwords.
The attackers directly accessed 0.1 percent of user accounts, which amounts to approximately 14,000 users. Once in these accounts, the attackers used the DNA Relatives feature to access more information from millions of other profiles.
23andMe Holding Co. is a publicly held personal genomics and biotechnology company based in South San Francisco, California.
23andMe’s Response, Hacker Access and Security Assurance
The Friday statement mentioned that the hacker also got into “a significant number of files” using the Relatives feature, but it didn’t specify the quantity mentioned earlier.
In a statement, Kill said, “We still do not have any indication that there has been a data security incident within our systems, or that 23andMe was the source of the account credentials used in these attacks.”
However, this statement contradicts the fact that information from 6.9 million users is now in the hands of attackers. Most of these people are affected because they chose to use a feature provided by 23andMe, which did not prevent the breach either by limiting access to the information or requiring additional account security.
User Data Leaked and Steps for Protection
The first signs of trouble emerged in October when 23andMe confirmed that user information was being sold on the dark web. The genetic testing site then began investigating a hacker’s claim that they had leaked 4 million genetic profiles from people in Great Britain and “the wealthiest individuals in the U.S. and Western Europe.”
Among the 5.5 million leaked DNA Relatives profiles were users who were not part of the initial credential stuffing attack. The exposed data includes details such as display names, predicted relationships with others, the amount of DNA shared with matches, ancestry reports, self-reported locations, ancestor birth locations, family names, profile pictures, and more.
The other 1.4 million users who used the DNA Relatives feature had their family tree profiles viewed. This feature includes details like display names, relationship labels, birth year, and self-reported locations. However, it doesn’t show the percentage of DNA shared with potential relatives on the site or matching DNA segments.
23andMe is currently informing users affected by the breach. They have also begun advising users to change their passwords and now make two-step verification mandatory for both new and existing users, which was previously an optional security measure.
Moreover, Recently On 8 Nov, ChatGPT had some issues again. OpenAI, the company behind it, said it might be because of a cyberattack.
23andMe reported a significant data breach, affecting 6.9 million users. The breach involved a credential stuffing attack, with 5.5 million DNA Relatives profiles compromised. Despite the company’s statements, the leaked data contradicts assurances, revealing vulnerabilities. Users are urged to change passwords, and two-step verification is now mandatory for enhanced security.