Genetic testing company 23andMe announced Friday that hackers accessed around 14,000 customer accounts in the company's recent data breach.
In a new filing with the U.S. Securities and Exchange Commission. Posted on Friday, the company said that based on its investigation into the incident, it had determined that hackers had accessed 0.1% of its customer base. According to the company's latest annual results report23andMe has “over 14 million customers worldwide,” which means 0.1% is around 14,000.
But the company also said that by accessing those accounts, the hackers were also able to access “a significant number of files containing profile information about other users' ancestry that those users chose to share by opting into the DNA Relatives feature of 23andMe”.
The company did not specify what this “significant number” of files is, nor how many of these “other users” were affected.
23andMe did not immediately respond to a request for comment, which included questions about those numbers.
In early October, 23andMe revealed an incident in which hackers had stolen some users' data using a common technique known as “credential stuffing,” whereby cybercriminals hack into a victim's account using a known password, maybe leaked due to someone else's data breach. service.
The damage, however, was not limited to customers whose accounts were accessed. 23andMe allows users to opt-in to a feature called DNA relatives. If a user opts into that feature, 23andMe shares some of that user's information with others. That means that by accessing a victim's account, hackers were also able to see the personal data of people connected to that initial victim.
23andMe said in the filing that for the initial 14,000 users, the stolen data “typically included ancestry information and, for a subset of those accounts, health-related information based on the user's genetics.” For the other subset of users, 23andMe only said that the hackers stole “profile information” and then posted unspecified “certain information” online.
TechCrunch analyzed the published sets of stolen data by comparing them to known public genealogical records, including websites published by hobbyists and genealogists. Although the data sets were formatted differently, they contained some of the same unique genetic and user information that matched genealogical records published online years earlier.
The owner of a genealogy website, whose relatives' information was exposed in the 23andMe data breach, told TechCrunch that they have about 5,000 relatives discovered through 23andMe, and said our “correlations could take that into account.” “.
Data breach news emerged online in October, when hackers announced the alleged data of one million users of Ashkenazi Jewish descent and 100,000 Chinese users on a well-known hacking forum. About two weeks later, the same hacker who announced the initial stolen user data announced the supposed records of four million more people. The hacker attempted to sell individual victims' data for between $1 and $10.
TechCrunch discovered that another hacker on a different hacking forum had announced even more supposedly stolen user data two months before the announcement that was initially reported by the media in October. In that first announcement, the hacker claimed to have 300 terabytes of stolen 23andMe user data and asked for $50 million to sell the entire database, or between $1,000 and $10,000 for a subset of the data.
In response to the data breach, on October 10, 23andMe forced users to reset and change their passwords and encouraged them to turn on multi-factor authentication. And on Nov. 6, the company required all users to use two-step verification, according to the new document.
After the 23andMe breach, other DNA testing companies, Ancestry and MyHeritage, began requiring two-factor authentication.
