On Friday, 23andMe, a leading genetic testing company, disclosed a security breach that affected 14,000 user accounts of its 0.1% customer base. The breach also led to unauthorized access to a substantial number of files containing profile details of other users’ ancestry.
The extent of the incident goes beyond the initially reported figures, affecting a total of 6.9 million individuals. Of these, 5.5 million users had willingly participated in 23andMe’s DNA Relatives feature, a tool enabling the automatic sharing of certain data with other users. The compromised information encompassed personal details such as names, birth years, relationship labels, the percentage of DNA shared with relatives, ancestry reports, and self-reported locations.
According to 23andMe, the security breach was facilitated by customers reusing passwords. Hackers exploited this vulnerability by employing brute-force techniques, utilizing publicly known passwords from previous data breaches in other companies.
The DNA Relatives feature played a significant role in the breach. By compromising one individual account, hackers gained access not only to the account holder’s data but also to the information of their relatives. This amplification effect significantly increased the overall number of individuals affected by the 23andMe security breach.
In response to the incident, 23andMe is actively working to enhance its security measures and urging customers to adopt stronger, unique passwords. The company is also implementing additional safeguards to prevent such unauthorized access in the future, prioritizing the protection of its users’ sensitive genetic and personal information.