What was 14,000 may affect up to 6.9 million users. Genetic testing and information company 23andMe is now admitting that the October data breach that affected 0.1% of their 14 million customer base, or 14,000 users per their SEC filing last Friday, may have exposed the records and personally identifiable information (PII) of 6.9 million users, about half their customer database. In later replies to industry publications TechCrunch and WIRED, a 23andMe spokesperson admitted that hackers accessed the PII of about 5.5 million people who opted-in to 23andMe’s DNA Relatives feature. Add into that an additional 1.4 million “had their Family Tree profile information accessed”. an enhancement to DNA Relatives. The DNA Relatives breach stole individual and family names, birth year, relationship labels, the percentage of DNA shared with relatives, ancestry reports, and self-reported location. Family Tree information exposed display names, relationship labels, birth year, self-reported location, and whether the user decided to share their information.
(Editor’s note: The size of the breach is enough to revive this vintage picture of WWF/WWE wrestler Hulk Hogan in his ‘Hulkamania Running Wild’ persona.)
23andMe has attributed the massive breach to credential stuffing–the reuse of leaked login credentials from other websites and services. But many users have gone public with the information that their logins were unique to 23andMe. 23andMe’s credibility on this issue took a beating from none other than the US National Security Agency (NSA) cybersecurity director Rob Joyce. He wrote on his personal X account that “They disclose the credential stuffing attacks, but they don’t say how the accounts were targeted for stuffing. This was unique and not an account that could be scraped from the web or other sites.” In fact, Mr. Joyce creates a unique email for each account. The cause for the wider breach may lie in data sharing with a partner, MyHeritage, in adding functionality to Family Tree. It seems clear that credential stuffing wasn’t the only technique used to break into the 23andMe user data.
23andMe, as well as Ancestry.com and MyHeritage, now require or strongly recommend two-factor authentication for access to personal accounts. About time. They have also changed terms of service to “encourage a prompt resolution of any disputes”.
What is distressing is that the hacks on the retail side of 23andMe are only the tip of the iceberg–that the really valuable part of their genetic data goes to pharmaceutical companies. Cyberthieves know that motherlode is incredibly valuable to bad actors like the Chinese and the Chinese Communist Party, both key markets for stolen health data. (Developing)