Dec 05, 2023 11:45:00

Genetic testing tool 23andMe has genetic data of 6.9 million people stolen by hacking

Genetic testing tool 23andMe has reported that user data has been leaked due to hacking. 23andMe has a feature called

DNA Relatives that allows you to find genetic relatives, but it appears that some user profile information that can be shared through this feature has been leaked. 23andMe revealed to overseas media that the genetic data of 6.9 million users was leaked.

23andMe confirms hackers stole ancestry data on 6.9 million users | TechCrunch
https://techcrunch.com/2023/12/04/23andme-confirms-hackers-stole-ancestry-data-on-6-9-million-users/

23andMe admits hackers accessed 6.9 million users' DNA Relatives data - The Verge
https://www.theverge.com/2023/12/4/23988050/23andme-hackers-accessed-user-data-confirmed

23andMe first announced that it may have been hacked at 20:25 local time on October 9, 2023, at which time it announced that it was working with third-party forensic experts and federal law enforcement. 'We are currently investigating,' the company informed users, leaving the details of the damage unknown.

Then, at 21:35 on October 20th, it said: 'As part of our ongoing security investigation, we have temporarily disabled some features of DNA Relatives as an additional precaution to protect your privacy.' announcement.

At 7:45 a.m. on Nov. 6, a statement read: 'Starting today, we're requiring all customers to use two-step email verification as an additional layer of protection for their accounts. New users will be automatically prompted for two-step email verification when they create an account. 'Existing users who do not use an authenticator app will be automatically enrolled in two-step verification and will receive an email with a verification code the next time they sign in.' It has been revealed that two-step authentication has become mandatory.

At 3:45 p.m. on Dec. 1, 23andMe said, 'We have completed our investigation with the assistance of third-party forensic experts. We are notifying affected customers in accordance with our legal obligations. 23andMe 23andMe is taking steps to further secure user data, including requiring all existing customers to reset their passwords and requiring all new and existing users to use two-step verification. 'We will continue to invest in data protection.'

Addressing Data Security Concerns - 23andMe Blog
https://blog.23andme.com/articles/addressing-data-security-concerns

Although 23andMe reported on its official blog that it had been hacked, it did not disclose details such as how many users were affected. However, when foreign media outlets The Verge and TechCrunch directly contacted 23andMe, it was revealed that 6.9 million user data had been leaked.

Andy Kill, a spokesperson for 23andMe, said the latest hack damaged the data of approximately 5.5 million users who have enabled DNA Relatives, a feature that matches users with the same genetic makeup, and 1.4 million users. He revealed that his family tree profile had been accessed.

The data stolen by hacking includes information such as the user's name, date of birth, relationship label, proportion of DNA shared with relatives, ancestry report, and self-reported location.

According to documents submitted to the Securities and Exchange Commission in the United States, the attackers who launched the hacking attack appear to have used a credential stuffing attack that exploits the credentials of the account whose data was leaked to gain unauthorized access. As a result, it seems that it is now possible to directly access about 14,000 user accounts, equivalent to 0.1% of 23andMe users. From there, the attackers likely used DNA Relatives to obtain genetic profile information for millions of other people.

'There is no indication yet that a data security incident occurred within our systems or that 23andMe was the source of the compromised account credentials used in these attacks,' Kill told The Verge. I spoke.