Genetic Testing: Hackers steal ancestry, health-related data from 23andMe

Genetic testing company 23andMe disclosed an incident in October where hackers stole some users’ data. Now, the company has announced that cyberattackers accessed around 14,000 customer accounts in the recent data breach. In a new filing with the US Securities and Exchange Commission(seen by TechCrunch), 23andMe said that it has probed into the incident.Based on its investigation, the company revealed that hackers accessed 0.1% of its customer base. According to the company’s recent annual earnings report, 23andMe has “more than 14 million customers worldwide,” which means 0.1% is around 14,000.
What data hackers stole from 23andMe
The company confirmed that by accessing these accounts, the hackers were also able to access “a significant number of files containing profile information about other users’ ancestry that such users chose to share when opting in to 23andMe’s DNA Relatives feature.”
However, the company did not specify what that “significant number” of files was, nor did it mention how many of these “other users” were impacted.
In its filing, 23andMe said that for the initial 14,000 users, the stolen data “generally included ancestry information, and, for a subset of those accounts, health-related information based upon the user’s genetics.”

For the other subset of users, the company mentioned that the hackers only stole “profile information” and then posted “certain information” online.
23andMe allows users to opt into a feature called DNA Relatives. Hackers not only accessed the data of the customers who had their accounts but also from the company’s DNA Relatives feature.

If a user opts-in to that feature, the company shares some of that user’s information with others. This means by accessing one victim’s account, hackers were also able to see the personal data of people connected to that initial victim.
How hackers managed to steal data
In October, the company mentioned that the hackers were able to steal data using a common technique known as “credential stuffing”. In this technique, cybercriminals hack into a victim’s account by using a known password which has been leaked due to a data breach on another service.


 

Reference

Denial of responsibility! My Droll is an automatic aggregator of Global media. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, and all materials to their authors. For any complaint, please reach us at – [email protected]. We will take necessary action within 24 hours.
DMCA compliant image

Leave a Comment