23andMe says hackers accessed ‘vital quantity’ of recordsdata about customers’ ancestry

Genetic testing firm 23andMe introduced on Friday that hackers accessed round 14,000 buyer accounts within the firm’s current knowledge breach.

In a new filing with the U.S. Securities and Exchange Commission printed Friday, the corporate mentioned that, primarily based on its investigation into the incident, it had decided that hackers had accessed 0.1% of its buyer base. According to the company’s most recent annual earnings report, 23andMe has “more than 14 million customers worldwide,” which implies 0.1% is round 14,000.

However the firm additionally mentioned that by accessing these accounts, the hackers have been additionally capable of entry “a significant number of files containing profile information about other users’ ancestry that such users chose to share when opting in to 23andMe’s DNA Relatives feature.”

The corporate didn’t specify what that “significant number” of recordsdata is, nor what number of of those “other users” have been impacted.

23andMe didn’t instantly reply to a request for remark, which included questions on these numbers.

In early October, 23andMe disclosed an incident by which hackers had stolen some customers’ knowledge utilizing a standard method often called “credential stuffing,” whereby cybercriminals hack right into a sufferer’s account through the use of a recognized password, maybe leaked due to an information breach on one other service.

The harm, nevertheless, didn’t cease with the purchasers who had their accounts accessed. 23andMe permits customers to choose right into a characteristic known as DNA Relatives. If a person opts-in to that characteristic, 23andMe shares a few of that person’s data with others. That signifies that by accessing one sufferer’s account, hackers have been additionally capable of see the non-public knowledge of individuals related to that preliminary sufferer.

23andMe mentioned within the submitting that for the preliminary 14,000 customers, the stolen knowledge “generally included ancestry information, and, for a subset of those accounts, health-related information based upon the user’s genetics.” For the opposite subset of customers, 23andMe solely mentioned that the hackers stole “profile information” after which posted unspecified “certain information” on-line.

TechCrunch analyzed the printed units of stolen knowledge by evaluating it to recognized public family tree information, together with web sites printed by hobbyists and genealogists. Though the units of information have been formatted in a different way, they contained a few of the similar distinctive person and genetic data that matched family tree information printed on-line years earlier.

The proprietor of 1 family tree web site, for which a few of their kinfolk’ data was uncovered in 23andMe’s knowledge breach, informed TechCrunch that they’ve about 5,000 kinfolk found by way of 23andMe, and mentioned our “correlations might take that into account.”

Information of the info breach surfaced online in October when hackers marketed the alleged knowledge of 1 million customers of Jewish Ashkenazi descent and 100,000 Chinese language customers on a well known hacking discussion board. Roughly two weeks later, the identical hacker who marketed the preliminary stolen person knowledge advertised the alleged records of four million more people. The hacker was attempting to promote the info of particular person victims for $1 to $10.

TechCrunch discovered that one other hacker on a unique hacking discussion board had advertised even more allegedly stolen user data two months before the commercial that was initially reported by information retailers in October. In that first commercial, the hacker claimed to have 300 terabytes of stolen 23andMe person knowledge, and requested for $50 million to promote the entire database, or between $1,000 and $10,000 for a subset of the info.

In response to the info breach, on October 10, 23andMe compelled customers to reset and alter their passwords and inspired them to activate multi-factor authentication. And on November 6, the corporate required all customers to make use of two-step verification, in accordance with the brand new submitting.

After the 23andMe breach, other DNA testing companies Ancestry and MyHeritage began mandating two-factor authentication.