Raw genotype data of almost 5.1 million people was stolen in the 23andMe Data Breach that went unnoticed for months.
23andMe Data Breach Gave Unauthorized Access to Health Reports
The renowned genetic testing provider, 23andMe, has confirmed that there was a security breach impacting their customers. Hackers were able to gain unauthorized access to health reports and raw genotype data of affected customers.
This breach occurred between April 29 and September 27, lasting for approximately five months. The attackers obtained the customers’ login credentials from previous data breaches or by using compromised credentials from other online platforms.
Some of the stolen data was publicly posted on the BreachForums hacking forum and an unofficial 23andMe subreddit site. 23andMe has taken appropriate measures to notify and assist those affected by this incident.
23andMe Data Leak Includes Sensitive Data for 5.1 Million People
The leaked information includes the data for 1 million Ashkenazi Jews and 4.1 million people living in the United Kingdom.
“Our investigation determined the threat actor downloaded or accessed your uninterrupted raw genotype data, and may have accessed other sensitive information in your account, such as certain health reports derived from the processing of your genetic information, including health-predisposition reports, wellness reports, and carrier status reports,”
23andMe revealed.
“To the extent your account contained such information, the threat actor may have also accessed self-reported health condition information, and information in your settings.”
In addition to the health reports and raw genotype data, it is important to note that customers who utilized 23andMe’s DNA Relatives feature may have had their DNA Relatives and Family Tree profile information compromised as well.
This means that the attackers potentially accessed the following information if it was shared through the DNA Relatives feature:
Ancestry reports and matching DNA segments, which indicate specific locations on your chromosomes where you and your relative had matching DNA.
- Self-reported location details such as city or zip code.
- Information regarding the birth locations of ancestors and family names.
- Profile picture, birth year, and any other information provided in the “Introduce yourself” section of the profile.
Please be aware that this additional data may have been accessed by the attackers during the breach.
23andMe Data Breach Compromised Data of 14 Million Customers in Total
According to 23andMe’s statement to BleepingComputer in December, the hackers were able to download the data of approximately 6.9 million individuals out of the total 14 million customers. The breach involved around 14,000 user accounts being compromised.
Out of the affected individuals, approximately 5.5 million had their data scraped through the DNA Relatives feature, while around 1.4 million had their data accessed through the Family Tree feature.
In response to the attack, 23andMe took swift action. On October 10, just one week after discovering the breach, the company implemented a mandatory password reset for all customers.
As a response to the security breach, 23andMe has taken proactive measures to enhance the security of customer accounts. Since November 6, both new and existing customers are required to enable two-factor authentication when logging into their accounts. This added security measure aims to prevent any future credential-stuffing attempts.
23andMe data Breach Lawsuit
Additionally, the incident from last year led to the filing of multiple lawsuits against 23andMe. In response, the company updated its Terms of Use on November 30. These updates include provisions that make it more challenging for customers to participate in class action lawsuits against 23andMe.
One of the updates states that disputes between customers and the company must be pursued on an individual basis, rather than as class actions, collective actions, or class arbitrations.
However, 23andMe clarified that these changes were made to streamline and simplify the arbitration process for the benefit of customers. The intention is to make the arbitration process more efficient and easier for customers to comprehend.
