Genetic testing firm 23andMe introduced on Friday that hackers accessed round 14,000 buyer accounts within the firm’s current information breach.
In a brand new submitting with the U.S. Securities and Exchange Commission printed Friday, the corporate stated that, based mostly on its investigation into the incident, it had decided that hackers had accessed 0.1% of its buyer base. According to the corporate’s most up-to-date annual earnings report, 23andMe has “more than 14 million customers worldwide,” which implies 0.1% is round 14,000.
But the corporate additionally stated that by accessing these accounts, the hackers had been additionally capable of entry “a significant number of files containing profile information about other users’ ancestry that such users chose to share when opting in to 23andMe’s DNA Relatives feature.”
The firm didn’t specify what that “significant number” of files is, nor what number of of these “other users” had been impacted.
23andMe didn’t instantly reply to a request for remark, which included questions on these numbers.
In early October, 23andMe disclosed an incident by which hackers had stolen some customers’ information utilizing a standard approach often known as “credential stuffing,” whereby cybercriminals hack right into a sufferer’s account through the use of a identified password, maybe leaked due to an information breach on one other service.
The harm, nonetheless, didn’t cease with the purchasers who had their accounts accessed. 23andMe permits customers to choose right into a function referred to as DNA Relatives. If a consumer opts-in to that function, 23andMe shares some of that consumer’s data with others. That signifies that by accessing one sufferer’s account, hackers had been additionally capable of see the non-public information of folks linked to that preliminary sufferer.
23andMe stated within the submitting that for the preliminary 14,000 customers, the stolen information “generally included ancestry information, and, for a subset of those accounts, health-related information based upon the user’s genetics.” For the opposite subset of customers, 23andMe solely stated that the hackers stole “profile information” after which posted unspecified “certain information” on-line.
Ztoog analyzed the printed units of stolen information by evaluating it to identified public family tree data, together with web sites printed by hobbyists and genealogists. Although the units of information had been formatted otherwise, they contained some of the identical distinctive consumer and genetic data that matched family tree data printed on-line years earlier.
The proprietor of one family tree web site, for which some of their family members’ data was uncovered in 23andMe’s information breach, instructed Ztoog that they’ve about 5,000 family members found via 23andMe, and stated our “correlations might take that into account.”
News of the info breach surfaced on-line in October when hackers marketed the alleged information of a million customers of Jewish Ashkenazi descent and 100,000 Chinese customers on a well known hacking discussion board. Roughly two weeks later, the identical hacker who marketed the preliminary stolen consumer information marketed the alleged data of 4 million extra folks. The hacker was making an attempt to promote the info of particular person victims for $1 to $10.
Ztoog discovered that one other hacker on a unique hacking discussion board had marketed much more allegedly stolen consumer information two months earlier than the commercial that was initially reported by information retailers in October. In that first commercial, the hacker claimed to have 300 terabytes of stolen 23andMe consumer information, and requested for $50 million to promote the entire database, or between $1,000 and $10,000 for a subset of the info.
In response to the info breach, on October 10, 23andMe pressured customers to reset and alter their passwords and inspired them to activate multi-factor authentication. And on November 6, the corporate required all customers to make use of two-step verification, in response to the brand new submitting.
After the 23andMe breach, different DNA testing corporations Ancestry and MyHeritage began mandating two-factor authentication.