Data Breach Unveiled: 6.9 Million Users Affected
In a recent revelation, 23andMe confirms a significant data breach that exposed sensitive information belonging to 6.9 million users. The breach, affecting 5.5 million users with the DNA Relatives feature enabled, matched individuals with similar genetic profiles. An additional 1.4 million users had their family tree profiles accessed.
Credential Stuffing Attack Unveiled
The breach, outlined in an update to a blog post and a filing with the SEC, resulted from a credential stuffing attack. A threat actor, using account information obtained from other security breaches, gained unauthorized access to 0.1 percent of user accounts—approximately 14,000 users. The attackers exploited the DNA Relatives feature to access additional information from millions of profiles.
Conflicting Statements and User Impact
Despite the breach’s magnitude, 23andMe claims, “We still do not have any indication that there has been a data security incident within our systems.” This assertion contradicts the reality that data from 6.9 million users is now in the hands of attackers. The breach predominantly affects users who opted into the DNA Relatives feature, revealing a failure to implement adequate security measures.
23andMe Data Breach: From October to Present
Troubles surfaced in October when 23andMe acknowledged user information for sale on the dark web. Further investigation followed regarding claims of leaked genetic profiles. The compromised 5.5 million DNA Relatives profiles include users not initially targeted in the credential stuffing attack. The exposed data encompasses a range of sensitive information, from display names to ancestry reports.
Response Measures and Ongoing Investigations
23andMe is in the process of notifying affected users and has initiated password resets. Two-step verification, formerly optional, is now mandatory for both new and existing users. The company aims to strengthen security measures to prevent future breaches. Ongoing investigations seek to uncover the full extent of the breach and identify any vulnerabilities within the system. The aftermath of this breach raises questions about the adequacy of safeguards implemented by genetic testing platforms, urging a reassessment of security protocols across the industry.