An SEC submitting has revealed extra particulars on a knowledge breach affecting 23andMe customers that was disclosed earlier this fall. The corporate says its investigation discovered hackers have been capable of entry the accounts of roughly 0.1 p.c of its userbase, or about 14,000 of its 14 million whole clients, TechCrunch notes. On high of that, the attackers have been capable of exploit 23andMe’s opt-in DNA Relations (DNAR) characteristic, which matches customers with their genetic family, to entry details about tens of millions of different customers. A 23andMe spokesperson informed Engadget that hackers accessed the DNAR profiles of roughly 5.5 million clients this fashion, plus Household Tree profile info from 1.4 million DNA Relative individuals.
DNAR Profiles comprise delicate particulars together with self-reported info like show names and places, in addition to shared DNA percentages for DNA Relations matches, household names, predicted relationships and ancestry studies. Household Tree profiles comprise show names and relationship labels, plus different info {that a} person could select so as to add, together with delivery 12 months and site. When the breach was first revealed in October, the corporate stated its investigation “found that no genetic testing results have been leaked.”
Based on the brand new submitting, the information “generally included ancestry information, and, for a subset of those accounts, health-related information based upon the user’s genetics.” All of this was obtained by way of a credential-stuffing assault, during which hackers used login info from different, beforehand compromised web sites to entry these customers’ accounts on different websites. In doing this, the submitting says, “the threat actor also accessed a significant number of files containing profile information about other users’ ancestry that such users chose to share when opting in to 23andMe’s DNA Relatives feature and posted certain information online.”
Following the invention of the breach, 23andMe instructed affected customers to vary their passwords and later rolled out two-factor authentication for all of its clients. In one other replace on Friday, 23andMe stated it had accomplished the investigation and is notifying everybody who was affected. The corporate additionally wrote within the submitting that it “believes that the threat actor activity is contained,” and is working to have the publicly-posted info taken down.
Replace, December 2 2023, 7:03PM ET: This story has been up to date to incorporate info supplied by a 23andMe spokesperson on the scope of the breach and the variety of DNA Relative individuals affected.