23andMe Data Breach Impacts 6.9M Users

December 05, 2023 - Genetic testing company 23andMe issued an amended Form 8-K Securities and Exchange Commission (SEC) filing to provide supplemental information about a data breach that occurred in October 2023.

On October 1, a threat actor posted online claiming that they had accessed and obtained 23andMe users’ profile information. The company immediately launched an investigation that determined that the threat actor had accessed 0.1 percent of user accounts using credential stuffing tactics.

23andMe has stated that it has no evidence that there was a data security incident within its systems. Rather, threat actors leveraged credential stuffing, a tactic in which hackers use stolen login information from one account to gain access to other accounts with the same passwords.

The information accessed included ancestry information and some health information based on the user’s genetics.

“Using this access to the Credential Stuffed Accounts, the threat actor also accessed a significant number of files containing profile information about other users’ ancestry that such users chose to share when opting in to 23andMe’s DNA Relatives feature and posted certain information online,” the filing stated.

According to a statement shared with the New York Times, the incident impacted 6.9 million user profiles in total. Essentially, the threat actor gained access to 14,000 accounts via credential stuffing and was able to access the remaining profiles based on the user’s participation in the DNA Relatives feature.

“We are working to remove this information from the public domain,” 23andMe continued in the SEC filing. “As of the filing date of this Amendment, the Company believes that the threat actor activity is contained.”

As previously reported, the hackers allegedly targeted users of Ashkenazi Jewish and Chinese descent, putting minority groups at risk. The threat actors even posted information including name, sex, birth year, location, photos, health information, and genetic ancestry results to the dark web through a database entitled, “Ashkenazi DNA Data of Celebrities.”

This prompted Senator Bill Cassidy (R-LA) to write a letter to 23andMe CEO Anne Wojcicki to raise concerns about the leak.

“Such information in the hands of employers, potential employers, foreign governments, hostile actors, and others could be used to discriminate against individuals associated with the group,” Cassidy wrote.

The Senator sought answers from 23andMe about when it became aware of the incident and what cyber and physical safeguards it had in place.

According to the latest update on 23andMe’s website, the company has temporarily disabled some features within the DNA Relatives tool and reached out to customers to reset passwords and enable multifactor authentication.