Hackers stole personal data belonging to 6.9 million people who used services from the genetic testing company 23andMe in October, a company spokesperson confirmed to Axios on Monday.
Why it matters: The personal data, including ancestry reports, some DNA data, birthdates, self-reported location and profile pictures, went up for sale on a popular hacking forum following the breach, according to TechCrunch, which first reported the number of users affected.
- The compromised information, combined with personal information potentially stolen through separate attacks, can help other hackers commit forms of identity theft, like fraudulently opening credit cards or taking out loans.
- As proof that they stole the personal data, hackers published an initial sample of 1 million data points about users with Ashkenazi Jewish heritage, including people’s full names, birth years, location information and more.
- They also reportedly published a separate sample with information about more than 300,000 users with Chinese heritage.
A 23andMe spokesperson said the company believes hackers were able to gain access to the data through a small number of customers reusing passwords that were compromised through separate breaches on other websites.
- Initially, fewer than 14,000 23andMe accounts were compromised through a credential-stuffing attack, the spokesperson said.
- However, because those accounts were linked to the user’s DNA relatives, the hackers were able to access the personal data of a large portion of the company’s customers.
- The 6.9 million people represent almost half of the company’s over 14 million customers worldwide.
- In response to the breach, 23andMe required all users to reset their passwords and will now require customers to protect their accounts with two-factor authentication, a security measure requiring users to sign in using both a password and another device.
The company first disclosed the data leak in early October.
- Last week, it said hackers accessed the personal data of 0.1% of customers, or about 14,000 individuals and “a significant number of files containing profile information about other users’ ancestry,” according to TechCrunch.
- It’s unclear why 23andMe did not share the total number of affected users in last week’s disclosure.
What they’re saying: The spokesperson said the company began encouraging customers to protect their accounts with a multi-factor authentication system in 2019, but never required them to until recently.
- “We do not have any indication that there has been a breach or data security incident within our systems, or that 23andMe was the source of the account credentials used in these attacks,” the spokesperson said.
The big picture: Considering how personal data is linked between multiple accounts, it’s unclear why the company did not require two-factor authentication protection before the breach.
- The spokesperson did not say whether the company ever anticipated that a subset of users with poor cybersecurity practices could put millions of other users’ personal data at risk.
