Data breach affects nearly 7 million 23andMe profiles

Data including family trees and birth years have been stolen

Data breach affects nearly 7 million 23andMe profiles

Genomics database 23andMe has finished its investigation into an October data breach, finding that 6.9 million profiles - nearly half of all users - have been affected.

The hack first came to light in October, when an attacker leaked a list of individuals with Ashkenazi Jewish ancestry on dark web site BreachForums.

23andMe, a genetic testing firm that helps people track their ancestry and find relatives, wrote in an SEC statement that the threat actor was initially able to access just 0.1% of accounts on the site - about 14,000 profiles.

The company says the hacker(s) were able to access the site because customers had re-used compromised passwords from other platforms.

Data accessed "generally included ancestry information, and, for a subset of those accounts, health-related information based upon the user's genetics."

The danger, however, was in lateral movement. The attacker was able to leverage 23andMe's DNA Relatives feature, an opt-in process to connect to other people with a close genetic match, to steal information on millions of other users.

Spokesperson Katie Watson told TechCrunch that the threat actor accessed personal information of about 5.5 million people who had opted in to DNA Relatives. That included names, birth years, relationship labels, the percentage of DNA shared with relatives, ancestry reports and self-reported location.

A further 1.4 million people who had opted in to DNA Relatives also "had their Family Tree profile information accessed," which also includes metadata - like whether the user had chosen to share that information or not.

Although Watson confirmed the numbers of users affected, 23andMe did not mention it in its SEC disclosure, only the 0.1% figure. The 6.9 million profiles, in contrast, represent about 50% of the company's total user base.

23andMe is now in the process of notifying affected individuals, and has scrambled to clean up its mess - disabling some DNA Relatives features in late October and adding mandatory two-factor authentication in November.

Computing says:

Forget about base jumping: handing your DNA data over to a private firm is the ultimate risk. 23andMe, Ancestry.com and others are no more or less secure than any other site, but hold a wealth of personal information that can't be accessed anywhere else.

It's similar to the recurring problem with biometric authentication. Requiring a scan of a fingerprint or retina makes a service super secure - until it gets breached in another way, perhaps through the human factor, and that secure, unchangeable authentication method is now in the public domain. And unlike a password, you can't change your genetic makeup or your fingerprint.

It's a slim, slim silver lining, but we should at least be grateful that the attacker, in this case, was only able to access information on the 23andMe website itself - not people's DNA records.