23andMe confirms security breach: millions of users’ genetic data exposed
Attackers potentially gained access to sensitive information, including genotype data, health reports, and other confidential details. The breach occurred due to a credential-stuffing attack, enabling hackers to exploit reused passwords without an actual breach into the company’s systems.
23andMe, a popular direct-to-consumer genetic testing service, recently notified its users about a security incident where attackers potentially accessed sensitive information, including genotype data, health reports, and other confidential details.
In a breach notification letter sent to affected users, 23andMe disclosed that the unauthorised access persisted for five months, spanning from late April 2023 to September 2023. The breach occurred due to a credential-stuffing attack, enabling hackers to exploit reused passwords without an actual breach into the company’s systems. In a letter to users, the company explained the breach, stating ‘the threat actor was able to gain access to your account because the username and password that you used on 23andMe.com were the same as those that you used on other websites that were previously compromised or otherwise available.’
Upon investigating the breach, 23andMe determined that attackers had accessed users’ ‘uninterrupted raw genotype data’ and other sensitive information, encompassing health reports, health-predisposition reports, wellness reports, and carrier status reports.
Notably, in October of the preceding year, a threat actor known as Golem asserted to have acquired data from seven million 23andMe users. This data was subsequently shared on the cybercrime marketplace BreachForums, revealing details such as names, sex, age, location, and ancestry markers like lineage, yDNA, and mtDNA haplogroups (tracing paternal and maternal ancestry). One notable leak allegedly included data from one million Jewish Ashkenazi descent ‘celebrities,’ while another comprised over four million individuals primarily from the UK. Although the original posts on the forum were deleted, other members repeatedly reposted the data.
In response to the security incident, 23andMe implemented measures to enhance user security, making multi-factor authentication mandatory for all users. This proactive step aims to fortify the protection of user accounts and prevent similar security breaches in the future.