Biogenetics company 23andMe has submitted a new filing with the U.S. Securities and Exchange Commission (SEC) detailing the data breach it suffered in early October 2023.
In the filing, the company said that the threat actors accessed data on 0.1% of its customer base – roughly 14,000 individuals if the company’s recent claim to have “more than 14 million customers worldwide” in a recent annual earnings report is to be believed.
But it gets a bit more complicated than that. 23andme is a genetics testing and ancestry company and sometimes users share this data with other accounts via the “DNA Relatives” feature. Consequently, the attackers accessed “a significant number of files containing profile information about other users’ ancestry that such users chose to share.”
Credential stuffing
The explanation is vague, so we don’t know exactly how many files were accessed, or how many “other users” were affected. But what is known is that a threat actor tried to sell millions of data pieces belonging to 23andMe on the dark web. The company later confirmed the data’s authenticity, saying a hacker most likely used credential stuffing (trying an infinite amount of username/password combinations) to access its systems.
The stolen data “generally included ancestry information, and, for a subset of those accounts, health-related information based upon the user’s genetics.” Most people have had their “profile information” and “certain information” stolen, the company said, in a previous, equally vague announcement.
Previous media reports said the database included origin estimation, phenotype and health information, photos and identification data, raw data, and some other account information.
The dark web leak reportedly contained one million lines of data for Ashkenazi people (via Bleeping Computer), also affecting more than 300,000 users of Chinese descent (via The Record).
Via TechCrunch