Data Breach at 23andMe Targets 6.9M User Profiles

A data breach at the website 23andMe has targeted 6.9 million user profiles. Hackers reportedly used old customer passwords to gain access to personal customer information from the company, which provides DNA testing that helps users learn more about their ancestry. 

According to a United States Securities and Exchange Commission document, the data breach took place in October. The United States Securities and Exchange Commission wrote, “Upon learning of the incident, 23andMe immediately commenced an investigation and engaged third-party incident response experts to assist in determining the extent of any unauthorized activity.”

Based on the investigation, the website determined that only a very small percentage of accounts were initially compromised — 0.1%, or around 14,000 profiles, specifically. The compromised accounts had passwords and usernames that “were the same as those used on other websites that had been previously compromised or were otherwise available.”

Subsequently, the statement said that if 23andMe users opted into a feature titled DNA Relatives, those connections could also find their information compromised. According to The New York Times, the hackers used this feature to gain “access to information from 5.5 million DNA Relatives profiles.” They were also able to “access the Family Tree profile information of about 1.4 million other customers participating in the DNA Relatives feature.”

In October, Bloomberg reported on the hacking. At that time, an anonymous hacker claimed to have the genetic profiles from compromised 23andMe customer accounts for sale. These profiles included email addresses, photos, gender, birthdates, and DNA ancestry.

The company initially disclosed the incident in October in a blog post that did not mention the scope of the compromised data, though they said they had launched an investigation. 23andMe is in the process of notifying all affected customers. 

For customers to ensure the security of any account they create on a particular website, specific measures can be taken. First, refrain from using usernames and passwords across multiple sites. Second, keep a comprehensive list of passwords in case one is compromised. It is best to try and come up with a string of words that is easy to remember, but it’s advisable not to use family names, birthdates, or other personal information when it comes to login information. Adding special characters that are hard for a human or bot to decipher is also advisable.

Since the hack, the company revealed it will require two-factor authentication to protect both old and new customers.