The genetic testing platform, 23andMe, has officially acknowledged a recent security breach that resulted in the exposure of data belonging to approximately 6.9 million of its users. This compromised information encompasses a range of details such as users’ display names, ancestry reports, profile pictures, and more.
According to Andy Kill, the spokesperson for 23andMe, who communicated through an email statement to The Verge, the breach specifically impacted about 5.5 million users who had activated the DNA Relatives feature. This functionality is designed to match users with similar genetic compositions, connecting them with individuals who may share common ancestry.
Additionally, the data breach affected another 1.4 million users, compromising information related to their family tree profiles. In a submission to the Securities and Exchange Commission (SEC), the ancestry website revealed that “threat actors” employed a credential surfing attack to infiltrate a limited percentage of user accounts categorized as “Credential Stuffed Accounts.”
This category, amounting to approximately 14,000 users, was disclosed in the filing. Intriguingly, the hackers leveraged the DNA Relatives feature on these ‘credential stuffed accounts’ to gain unauthorized access to supplementary information from millions of other profiles.
The SEC filing from 23andMe explained, “Based on its investigation, 23andMe has determined that the threat actor was able to access a very small percentage (0.1 per cent) of user accounts in instances where usernames and passwords that were used on the 23andMe website were the same as those used on other websites that had been previously compromised or were otherwise available (the ‘Credential Stuffed Accounts’).”
Despite the data breach, 23andMe asserted in their statement, “We still do not have any indication that there has been a data security incident within our systems.”
Post Your Comments