Genetic testing company 23andMe recently reported a data breach, revealing that approximately 14,000 customer accounts were compromised. In a filing with the U.S. Securities and Exchange Commission, the company disclosed that hackers accessed 0.1% of its customer base, translating to around 14,000 individuals out of its 14 million global customers.
The breach not only exposed customer accounts but also granted unauthorized access to a considerable number of files containing profile information related to users’ ancestry who had opted into 23andMe’s DNA Relatives feature. The company, however, did not specify the exact number of affected files or the extent of impact on these users.
The breach, attributed to the common technique of “credential stuffing,” allowed cybercriminals to exploit known passwords, potentially leaked from other services. Beyond compromising individual accounts, the attackers leveraged 23andMe’s DNA Relatives feature, allowing them to access the personal data of individuals connected to the initial victims.
For the 14,000 affected users, the stolen data generally included ancestry information, and for a subset of accounts, health-related information based on genetic data. Another subset had unspecified “profile information” exposed, with certain details posted online.
The data breach was noticed when hackers advertised the data of one million users of Jewish Ashkenazi descent and 100,000 Chinese users on a hacking forum. Subsequently, the same hacker offered records of an additional four million people for sale, pricing them between $1 and $10 per victim.
Further investigation showed that another hacker had advertised stolen 23andMe user data two months before the initial report, claiming possession of 300 terabytes of data and seeking $50 million for the entire database or varying amounts for subsets.
In response to the breach, 23andMe implemented security measures, including password resets and the encouragement of multi-factor authentication in October. By November, the company mandated all users to enable two-step verification.