Hackers Breach Security: Unleash Raw Genotype Data and Health Reports

Have you ever wondered about your ancestry or genetic traits? Genetic testing providers like 23andMe offer this kind of service, but unfortunately, cybersecurity risks are always lurking. Recently, 23andMe confirmed that hackers managed to steal health reports and raw genotype data of customers in a credential stuffing attack that went unnoticed for five months, from April 29 to September 27.

The attackers were able to gain access to customers’ accounts by using credentials stolen in other data breaches or on previously compromised online platforms. What’s even more concerning is that some of the stolen data was posted on the BreachForums hacking forum and the unofficial 23andMe subreddit site. This leaked information includes data for 1 million Ashkenazi Jews and 4.1 million people living in the United Kingdom.

What information was accessed?

According to 23andMe, the threat actor downloaded or accessed customers’ uninterrupted raw genotype data and may have accessed other sensitive information in their accounts, such as certain health reports derived from the processing of genetic information, including health-predisposition reports, wellness reports, and carrier status reports. If an account contained such information, the threat actor may have also accessed self-reported health condition information and information in the account settings.

For customers who have used 23andMe’s DNA Relatives feature, it is possible that the attackers also scraped their DNA Relatives and Family Tree profile information. This could include ancestry reports, matching DNA segments, self-reported location, ancestor birth locations and family names, profile pictures, birth years, and any other details included in the “Introduce yourself” section of their profiles.

It’s important to note that 23andMe reported that the hackers downloaded the data of 6.9 million people out of 14 million customers after breaching around 14,000 user accounts. Of this figure, 5.5 million individuals had their data scraped through the DNA Relatives feature and 1.4 million via the Family Tree feature.

What has 23andMe done in response?

Shortly after detecting the attack, 23andMe started requiring all customers to reset their passwords. Since November 6, all new and existing customers must use two-factor authentication when logging into their accounts to block future credential-stuffing attempts. This incident has also led to multiple lawsuits being filed against 23andMe, prompting the company to update its Terms of Use with provisions that make it harder for customers to join class action lawsuits against the company.

What can you do to protect yourself?

While 23andMe has taken steps to address the issue, it’s crucial for you to remain vigilant about your own online security. Always use strong, unique passwords for each of your accounts, and consider using a password manager to help you manage them. Enable two-factor authentication whenever possible, and stay informed about potential data breaches so you can take action to protect your information.

As cybersecurity experts, we understand how important it is to protect your personal information from cyber threats. If you’re concerned about your online security or need help navigating the complex world of cybersecurity, don’t hesitate to reach out to us. We’re here to help you stay safe and informed in the digital age. And remember, always keep coming back to learn more about the latest developments in cybersecurity.