Genetic testing company 23andMe has confirmed that hackers were able to breach its security measures and gain access to personal information from approximately 6.9 million users. The breach allowed the cyber-criminals to obtain customers’ old passwords, resulting in the exposure of family trees, birth years, and geographic locations.
The stolen data, however, does not include DNA records, which may come as a relief to the company’s customers. 23andMe, a major player in the ancestor-tracing industry, offers genetic testing from DNA, with ancestry breakdown and personalized health insights. The biotechnology company, based in South San Francisco, was not directly hacked itself, but cyber-criminals were able to log into about 14,000 individual accounts, or 0.1% of customers, using email and password details previously exposed in other hacks.
As reported by Tech Crunch, the hackers were able to access significant amounts of profile information about other users’ ancestry. This includes names, birth years, locations, pictures, addresses, and the percentage of DNA shared with relatives. The criminals were also able to access the family tree profile information of about 1.4 million other customers participating in the DNA relatives feature, including display names and relationship labels.
One concerning aspect of the breach is the advertisement of a batch of data on a hacking forum as a list of people with Jewish ancestry, raising fears of potential targeted attacks. However, there is currently no evidence that any of the datasets being advertised have been used by criminals.
Following the breach, 23andMe is taking steps to rectify the situation. The company will be forcing affected customers to change their passwords and improve their account security. It is also notifying all affected customers, as required by law. Additionally, Oz Alashe, CEO of CybSafe, emphasized the importance of improving cyber-security behaviors in the general population in light of this breach.
The data breach at 23andMe serves as a reminder of the significant risk posed by poorly secured accounts with weak passwords and no two-factor authentication. As the company works to address the breach, customers are advised to take necessary precautions to protect their personal information.