The IT Nerd

Back in October of this year, 23andMe was pwned in a credential stuffing attack. Fast forward to today and it appears that 23andMe has put a number to the number of people affected by this attack:

On Friday, the California-based company said in a regulatory filing that the personal data of 0.1% of customers – or about 14,000 individuals – had been accessed by “threat actors”. But the filing warned that hackers were also able to access “a significant number of files containing profile information about other users’ ancestry”.

The company confirmed to TechCrunch on Saturday that because of an opt-in feature that allows DNA-related relatives to contact each other, the true number of people exposed was 6.9m – or just less than half of 23andMe’s 14 million reported customers.

Another group of about 1.4 million people who opted in to 23andMe’s DNA relatives feature also “had their family tree profile information accessed”, the company also acknowledged. That information includes names, relationship labels, birth year, self-reported location and other data.

23andMe said in a statement: “We were made aware that certain 23andMe customer profile information was compiled through access to individual 23andMe.com accounts.

“We believe that the threat actor may have then, in violation of our terms of service, accessed 23andme.com accounts without authorization and obtained information from those accounts.”

That is a non-trivial number of people who have had been affected by this. And I don’t exactly see, nor have I heard of any direct communication to users of this service. George McGregor, VP, Approov Mobile Security concurs with that:

   “This is starting to look like a good case-study in how to not handle a breach. It’s difficult at this point to be confident that no more bad news will be forthcoming. In addition, there has still (as of December 4th) been no direct communication to users. Let it be a lesson for others to ensure a solid data breach plan is in place!”

23andMe really needs to get its act together as from what I can see, they have failed their user base miserably. And given the scope and scale of this hack, they need to do better. Much better.

UPDATE: Ted Miracco, CEO, Approov Mobile Security adds this:

   “With data breaches, the compromise of DNA connections, family tree information, and genetic data exceeds the conventional threat posed by compromised credit cards and social security numbers. The depth of personal insight inherent in one’s familial relationships (& genetic blueprint!) amplifies the potential for profound and lasting damage. 

   “As it has been said, ‘great power comes with great responsibility’, and the alarming lack of transparency surrounding this breach heightens the implications for individuals and their privacy. The repercussions of this breach extend far beyond casting a shadow on the company’s reputation and raising questions among shareholders about the adequacy of security measures, as this problem will not be fixed with an apology and 12 months of credit monitoring services. We should expect the consequences of this breach will be far reaching, and hopefully lead to better accountability. ”

This entry was posted on December 5, 2023 at 9:42 am and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.