Genetic testing company 23andMe announced Friday that hackers gained access to approximately 14,000 customer accounts in its recent data breach.
In a new filing with the U.S. Securities and Exchange Commission The company announced Friday that based on an investigation into the incident, it determined that the hackers had accessed 0.1% of its customer base. According to the company’s latest annual earnings report.23andMe has “more than 14 million customers worldwide,” so 0.1% is about 14,000 people.
However, the company also said that by accessing these accounts, the hackers were able to access “substantial data, including profile information about other users’ ancestry, that other users choose to share when opting in to 23andMe’s DNA kinship feature.” He said he also had access to several files.
The company did not say what those “significant” files were or how many “other users” were affected.
23andMe did not immediately respond to a request for comment that included questions about these numbers.
In early October, 23andMe disclosed an incident in which hackers used a common technique known as “credential stuffing” to steal the data of some users. In this method, a cybercriminal hacks into a victim’s account using a known password, possibly compromised by another password data breach. service.
However, the damage was not limited to the customers whose accounts were accessed. 23andMe allows users to opt in to the following features: dna relatives. If you opt in to that feature, 23andMe will share some of your information with other users. This means that by accessing her single victim’s account, the hacker was also able to see the personal data of people related to that first victim.
23andMe said in its filing that for its first 14,000 users, the stolen data “generally includes ancestry information, and for a subset of those accounts health information based on users’ genetics.” It contained relevant information.” For some other users, 23andMe said only that the hackers stole “profile information” and posted “certain information” online that was unspecified.
TechCrunch analyzed the set of stolen data released by comparing it to known public genealogy records, including websites published by hobbyists and genealogists. Although the data set was in a different format, it contained some of the same unique user and genetic information that matched genealogy records published online many years ago.
The owner of a genealogy website whose relatives’ information was partially exposed in the 23andMe data breach told TechCrunch that there are about 5,000 relatives discovered through 23andMe, and our “correlation shows that That may be something to consider.”
data breach news surfaced online In October, hackers promoted suspected data on 1 million Ashkenazi Jewish users and 100,000 Chinese users on a popular hacking forum. About two weeks later, the same hacker who first advertised his stolen user data, he also advertised what was claimed to be a record of 4 million people. The hacker was trying to sell each victim’s data for anything from $1 to $10.
TechCrunch discovered that another hacker was promoting more allegedly stolen user data on a separate hacking forum two months before the ad first reported by news outlets in October. In the first ad, the hacker claimed he had stolen 300 terabytes of data from 23andMe users, and if he wanted to sell the entire database he would get $50 million, or for a subset of the data he would get $1,000. He asked for $10,000.
Following the data breach, 23andMe on October 10 forced users to reset and change their passwords and encouraged them to enable multi-factor authentication. And on Nov. 6, the company required all users to use two-step verification, according to a new filing.
After the 23andMe breach, other DNA testing companies Ancestry and MyHeritage began requiring two-factor authentication.