23andMe Admits Major Data Breach as Hackers Access Ancestry Information of Millions

A 23andMe Ancestry + Traits Service DNA kit arranged in Dobbs Ferry, New York, U.S., on on
Tiffany Hagler-Geard/Bloomberg/Getty

Genetic testing giant 23andMe has admitted in a SEC filing that it has suffered a massive breach that has exposed the ancestry information of millions of customers utilizing the DNA Relatives feature.

Engadget reports that 23andMe, a popular genetic testing and analysis company, recently admitted it experienced a major data breach. According to an SEC filing, this breach affected a portion of the company’s user base, specifically targeting the opt-in DNA Relatives (DNAR) feature. This feature, designed to match users with genetic relatives, was exploited by hackers to access the accounts of about 14,000 of the 14 million total customers, representing roughly 0.1 percent of 23andMe’s user base.

Although the number of compromised accounts was small, the attackers managed to access the DNAR profiles of approximately 5.5 million customers. Additionally, they obtained Family Tree profile information from 1.4 million participants in the DNA Relatives program. These profiles contain sensitive details including display names, locations, shared DNA percentages, family names, predicted relationships, and ancestry reports. It’s also noted that Family Tree profiles include other voluntarily added information such as birth year and location.

Participant hold their laptops in front of an illuminated wall at the annual Chaos Computer Club (CCC) computer hackers' congress, called 29C3, on December 28, 2012 in Hamburg, Germany. The 29th Chaos Communication Congress (29C3) attracts hundreds of participants worldwide annually to engage in workshops and lectures discussing the role of technology in society and its future. (Photo by Patrick Lux/Getty Images)

Participant hold their laptops in front of an illuminated wall at the annual Chaos Computer Club (CCC) computer hackers’ congress (Photo by Patrick Lux/Getty Images)

The breach was done using a credential-stuffing attack, where hackers used login credentials from other compromised websites to gain unauthorized access to 23andMe accounts. The attackers were able to access and share a significant number of files containing profile information about other users’ ancestry online.

Upon discovering the breach, 23andMe promptly instructed affected users to change their passwords and implemented two-factor authentication for all customers. 23andMe stated that it “believes that the threat actor activity is contained,” and has since completed its investigation. The firm stated that it is notifying all impacted parties and is working to remove the publicly posted information.

Breitbart News first reported on the 23andMe hack in October, long before the company admitted the extent of the situation:

TechCrunch reports that a notorious hacker, identified by the pseudonym “Golem,” has struck again, unleashing a torrent of confidential user records from the popular DNA testing service, 23andMe. This alarming breach follows a previous attack by the same hacker, who has now exposed the personal data of an additional four million users on a well-known cybercrime forum, BreachForums.

Golem stated that the dataset contains information on individuals from Great Britain, claiming it includes data on the wealthiest individuals residing in the U.S. and Western Europe. The compromised data appears to be extensive, revealing sensitive information that could have severe privacy implications for the affected individuals.

Read more at Engadget here.

Lucas Nolan is a reporter for Breitbart News covering issues of free speech and online censorship.


Please let us know if you're having issues with commenting.