23andMe is a genomics company that collects genetic material from thousands of people for ancestry and genetic predisposition tests. Recently, the company suffered a data breach wherein certain profile information was accessed from individual 23andMe accounts by hackers without users’ authorization. The breach was not due to a hack of the companys servers, but rather hackers targeted hundreds of individual user accounts, allegedly those that had weak or repeated passwords. The hackers were able to gather the stolen data by guessing the login credentials of users and then scraping for more people’s information using a 23andMe feature known as “DNA Relatives” . The stolen data includes certain 23andMe customer profile information that they opted into sharing through the DNA Relatives feature, including information about users’ DNA Relatives profiles, to the extent a user opted into that service.
The company has not been clear on whether it has validated the data the threat actor leaked, noting that its investigation is ongoing and that it currently has “preliminary results” . The leaked information is consistent with a situation in which some user accounts were exposed and then leveraged to scrape data visible in DNA Relatives. The hackers also posted an initial data sample of the stolen data on the platform “BreachForums” claiming that it contained 1 million data points exclusively about Ashkenazi Jewish People.
If you are a 23andMe customer, you can request your information be deleted from inside your account settings. The company will email you for confirmation, after which it will permanently delete your account, stop using your data in new research studies, and destroy your genetic sample if you gave permission to store it. 23andMe has not made any announcement as to whether they plan to offer any form of credit monitoring and identity protection services to victims of the Data Breach.
In summary, the 23andMe data breach involved hackers accessing certain profile information from individual 23andMe accounts without users’ authorization. The breach was not due to a hack of the companys servers, but rather hackers targeted individual user accounts with weak or repeated passwords. The stolen data includes certain 23andMe customer profile information that they opted into sharing through the DNA Relatives feature. If you are a 23andMe customer, you can request your information be deleted from inside your account settings.
