23andMe admits hackers accessed 6.9 million users’ DNA Relatives data

Share via:

Image: Getty

23andMe confirmed that a recent breach leaked data belonging to 6.9 million users. In an emailed statement to The Verge, company spokesperson Andy Kill says the breach affected around 5.5 million users who had DNA Relatives enabled, a feature that matches users with similar genetic makeups, while an additional 1.4 million people had their family tree profiles accessed.

In a filing with the Securities and Exchange Commission (SEC) and update to its blog post late on December 1st, 23andMe said a threat actor using a credential stuffing attack — logging in with account info obtained in other security breaches, usually due to password reuse — directly accessed 0.1 percent of user accounts, making up around 14,000 users. With access to those accounts, the attackers used the DNA Relatives feature, which matches people with other members they may share ancestry with, to access the additional information from millions of other profiles.

“We still do not have any indication that there has been a data security incident within our systems”

Its Friday statement noted the hacker also accessed “a significant number of files” via the Relatives feature but didn’t include the figure stated above.

Kill tells The Verge, “We still do not have any indication that there has been a data security incident within our systems, or that 23andMe was the source of the account credentials used in these attacks.” This statement is at odds with the fact that information from 6.9 million users is now in the hands of attackers. The overwhelming majority of those people are affected because they opted into a feature provided by 23andMe, which failed to prevent the breach by either limiting access to the information or requiring additional account security.

The first public signs of trouble appeared in October when 23andMe confirmed user information was up for sale on the dark web. The genetic testing site later said it was investigating a hacker’s claims that they leaked 4 million genetic profiles from people in Great Britain and “the wealthiest people living in the U.S. and Western Europe.”

The 5.5 million DNA Relatives profiles leaked included users who weren’t a part of the initial credential stuffing attack. The data revealed includes things like display names, predicted relationships with others, the amount of DNA users share with matches, ancestry reports, self-reported locations, ancestor birth locations, family names, profile pictures, and more.

The remaining 1.4 million users who also participated in the DNA Relatives feature had their family tree profiles accessed. This feature similarly includes display names, relationship labels, birth year, and self-reported locations. It doesn’t include the percentage of DNA shared with potential relatives on the site or matching DNA segments.

23andMe says it’s still in the process of notifying users affected by the breach. It has also started warning users to reset their passwords and now requires two-step verification for new and existing users, which previously was optional.

Disclaimer

We strive to uphold the highest ethical standards in all of our reporting and coverage. We StartupNews.fyi want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.

Popular

More Like this

23andMe admits hackers accessed 6.9 million users’ DNA Relatives data

Image: Getty

23andMe confirmed that a recent breach leaked data belonging to 6.9 million users. In an emailed statement to The Verge, company spokesperson Andy Kill says the breach affected around 5.5 million users who had DNA Relatives enabled, a feature that matches users with similar genetic makeups, while an additional 1.4 million people had their family tree profiles accessed.

In a filing with the Securities and Exchange Commission (SEC) and update to its blog post late on December 1st, 23andMe said a threat actor using a credential stuffing attack — logging in with account info obtained in other security breaches, usually due to password reuse — directly accessed 0.1 percent of user accounts, making up around 14,000 users. With access to those accounts, the attackers used the DNA Relatives feature, which matches people with other members they may share ancestry with, to access the additional information from millions of other profiles.

“We still do not have any indication that there has been a data security incident within our systems”

Its Friday statement noted the hacker also accessed “a significant number of files” via the Relatives feature but didn’t include the figure stated above.

Kill tells The Verge, “We still do not have any indication that there has been a data security incident within our systems, or that 23andMe was the source of the account credentials used in these attacks.” This statement is at odds with the fact that information from 6.9 million users is now in the hands of attackers. The overwhelming majority of those people are affected because they opted into a feature provided by 23andMe, which failed to prevent the breach by either limiting access to the information or requiring additional account security.

The first public signs of trouble appeared in October when 23andMe confirmed user information was up for sale on the dark web. The genetic testing site later said it was investigating a hacker’s claims that they leaked 4 million genetic profiles from people in Great Britain and “the wealthiest people living in the U.S. and Western Europe.”

The 5.5 million DNA Relatives profiles leaked included users who weren’t a part of the initial credential stuffing attack. The data revealed includes things like display names, predicted relationships with others, the amount of DNA users share with matches, ancestry reports, self-reported locations, ancestor birth locations, family names, profile pictures, and more.

The remaining 1.4 million users who also participated in the DNA Relatives feature had their family tree profiles accessed. This feature similarly includes display names, relationship labels, birth year, and self-reported locations. It doesn’t include the percentage of DNA shared with potential relatives on the site or matching DNA segments.

23andMe says it’s still in the process of notifying users affected by the breach. It has also started warning users to reset their passwords and now requires two-step verification for new and existing users, which previously was optional.

Disclaimer

We strive to uphold the highest ethical standards in all of our reporting and coverage. We StartupNews.fyi want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.

Website Upgradation is going on for any glitch kindly connect at office@startupnews.fyi

More like this

Beyond Borders: The Global Rise of Wai Wai Noodles

New Delhi , November 19: Wai Wai Noodles...

Indian news agency sues OpenAI alleging copyright infringement

One of India’s largest news agencies, Asian News...

Homegrown Beer Brand Proost Beer Bags INR 30 Cr...

SUMMARY Proost Beer manufactures and sells a range of...

Popular

Upcoming Events

Startup Information that matters. Get in your inbox Daily!