In a significant security breach, hackers gained unauthorised access to personal information from approximately 6.9 million users of genetic testing giant 23andMe. The breach involved exploiting customers’ old passwords, leading to the exposure of family trees, birth years, and geographic locations, marking a substantial impact on more than half of the company’s user base.
While the intrusion did not compromise DNA records, it has raised concerns about the vulnerability of user profile information. The breach was not a direct hacking of 23andMe’s systems; instead, cybercriminals leveraged email and password details from previous breaches, affecting about 0.1% of customers and roughly 14,000 individual accounts.
The hackers, upon infiltrating these accounts, were able to access a considerable number of files containing profile information about other users’ ancestry. This breach included names, relationships, birth years, locations, pictures, addresses, and the percentage of shared DNA with relatives. The compromise extended to family tree profile information for approximately 1.4 million users engaged in the DNA relatives feature, revealing display names and relationship labels.
While one set of data was advertised on a hacking forum, specifically targeting individuals with Jewish ancestry, there is currently no evidence of any datasets being sold or utilized by criminals. The incident highlights the critical importance of enhancing cybersecurity practices, urging users to adopt stronger passwords and implement two-factor authentication.
Oz Alashe, CEO of CybSafe, emphasised the broader implications of the breach, emphasising the need for improved cybersecurity behaviors. In response to the breach, 23andMe is notifying all affected customers, as mandated by law, and implementing measures such as password resets to enhance account security. The incident underscores the ongoing challenges companies face in safeguarding sensitive user data, urging a collective effort to bolster cybersecurity across the population.