Report: 23andMe Breach Affected Nearly Half of Users

Genetic testing company is now requiring 2-step verification for all users
By Evann Gastaldo,  Newser Staff
Posted Dec 5, 2023 1:00 AM CST
23andMe Breach Affected Nearly 7M Customers: Report
This image released by 23andMe shows the company's home-based saliva collection kit. Companies are playing into a rise in the profile of DNA itself as a gift item, from kits such as this to works of art.   (23andMe via AP)

The 23andMe breach confirmed by the company in October affected about half of the genetic testing company's 14 million users, TechCrunch reports. The company first acknowledged Friday, in an SEC filing, that hackers were able to access the personal data of 0.1% of its customers, which would be about 14,000 people, and that the hackers were also able to access "a significant number of files containing profile information about other users' ancestry." A company spokesperson later acknowledged to TechCrunch that, because of 23andMe's DNA Relatives feature, an additional 6.9 records were able to be accessed. The records of some users have been put up for sale on the dark web.

As NBC News reports, DNA Relatives allows users who opt in to see user information (including ancestry, DNA information, ZIP code, birth year, and family member names) about other 23andMe customers to whom they may be distantly related. The company says the aforementioned information, along with customer names, relationship labels, location, ancestry reports and other DNA-related information, for 5.5 million users was accessed; another 1.4 million people who opted in to DNA Relatives had their Family Tree profile information (which includes display names, relationship labels, birth year, and location) accessed.

A different 23andMe spokesperson tells the Verge, "We still do not have any indication that there has been a data security incident within our systems, or that 23andMe was the source of the account credentials used in these attacks," which, the Verge notes, "is at odds with the fact that information from 6.9 million users is now in the hands of attackers." The initial records were accessed via "credential stuffing," in which hackers use usernames and passwords that were already compromised in breaches of other sites in order to force logins at 23andMe for users who reused those same credentials. At that point, the Verge notes that 23andMe's systems failed to prevent the records of other users from being accessed via DNA Relatives—a failure the site may be attempting to address by now requiring two-step verification, which used to be optional. (More 23andMe stories.)

Get the news faster.
Tap to install our app.
X
Install the Newser News app
in two easy steps:
1. Tap in your navigation bar.
2. Tap to Add to Home Screen.

X