There was a breach at 23andMe, the genetic testing company, where hackers have been able to gain access to personal information from about 6.9 million users using customers’ old passwords. The 23andMe hack in some cases include the family trees, birth years and geographic locations, the company said. After weeks of speculation the firm has put a number on 23andMe user data stolen, with more than half of its customers affected.
The 23andMe hack does not include DNA records.
What does 23andMe do?
23andMe is a giant of the growing ancestor-tracing industry. It offers genetic testing from DNA, with ancestry breakdown and personalized health insights.
The biotechnology company, which is based in South San Francisco, was not hacked itself but cyber-criminals logged into about 14,000 individual accounts, or 0.1% of customers, by using email and password details previously exposed in other hacks.
23andMe hacked
As per report about the breach at 23andMe, the company has acknowledged that by accessing those accounts, hackers were then able to find their way into “a significant number of files containing profile information about other users’ ancestry”.
The 23andMe hack was executed by downloading not just the data from those accounts but the private information of all other users they had links to across the sprawling family trees on the website.
23andMe user stolen data includes information like names, how each person is linked and in some cases birth years, locations, pictures, addresses and the percentage of DNA shared with relatives.
23andMe on the hack
As per report, 23andMe spokesperson Katie Watson confirmed that hackers accessed the personal information of about 5.5 million people who opted-in to 23andMe’s DNA Relatives feature, which allows customers to automatically share some of their data with others. The stolen data included the person’s name, birth year, relationship labels, the percentage of DNA shared with relatives, ancestry reports and self-reported location.
23andMe also confirmed that another group of about 1.4 million people who opted-in to DNA Relatives also “had their Family Tree profile information accessed,” which includes display names, relationship labels, birth year, self-reported location and whether the user decided to share their information, the spokesperson said.
Breach at 23andMe raised concern
As reported, the hackers were able to access the family tree profile information of about 1.4 million other customers participating in the DNA relatives feature, including display names and relationship labels.
One batch of data was advertised on a hacking forum as a list of people with Jewish ancestry. This sparked concerns of targeted attacks.
Though currently no evidence that any of the datasets being advertised have had any buyers or that they have been used by criminals.
Importance of security
Oz Alashe, CEO of CybSafe, a risk management platform, said that the data breach at 23andMe “emphasizes the importance of improving cyber-security behaviors in the general population”.
“Poorly secured accounts, with weak passwords and no two-factor authentication, put all those sharing their sensitive data at risk,” he said.
23andMe said it was now telling all affected customers, as required by law. The firm will be forcing customers to change their passwords and improve their account security.
