Dec 4, 2023 - Technology

23andMe sees personal data on 6.9 million customers stolen by hackers

Signage outside of 23andMe headquarters in Sunnyvale, California, in 2021. Photo: David Paul Morris/Bloomberg via Getty Images

Hackers stole personal data belonging to 6.9 million people who used services from the genetic testing company 23andMe in October, a company spokesperson confirmed to Axios on Monday.

Why it matters: The personal data, including ancestry reports, some DNA data, birthdates, self-reported location and profile pictures, went up for sale on a popular hacking forum following the breach, according to TechCrunch, which first reported the number of users affected.

  • The compromised information, combined with personal information potentially stolen through separate attacks, can help other hackers commit forms of identity theft, like fraudulently opening credit cards or taking out loans.
  • As proof that they stole the personal data, hackers published an initial sample of 1 million data points about users with Ashkenazi Jewish heritage, including people's full names, birth years, location information and more.
  • They also reportedly published a separate sample with information about more than 300,000 users with Chinese heritage.

A 23andMe spokesperson said the company believes hackers were able to gain access to the data through a small number of customers reusing passwords that were compromised through separate breaches on other websites.

  • Initially, fewer than 14,000 23andMe accounts were compromised through a credential-stuffing attack, the spokesperson said.
  • However, because those accounts were linked to the user's DNA relatives, the hackers were able to access the personal data of a large portion of the company's customers.
  • The 6.9 million people represent almost half of the company's over 14 million customers worldwide.
  • In response to the breach, 23andMe required all users to reset their passwords and will now require customers to protect their accounts with two-factor authentication, a security measure requiring users to sign in using both a password and another device.

The company first disclosed the data leak in early October.

  • Last week, it said hackers accessed the personal data of 0.1% of customers, or about 14,000 individuals and "a significant number of files containing profile information about other users' ancestry," according to TechCrunch.
  • It's unclear why 23andMe did not share the total number of affected users in last week's disclosure.

What they're saying: The spokesperson said the company began encouraging customers to protect their accounts with a multi-factor authentication system in 2019, but never required them to until recently.

  • "We do not have any indication that there has been a breach or data security incident within our systems, or that 23andMe was the source of the account credentials used in these attacks," the spokesperson said.

The big picture: Considering how personal data is linked between multiple accounts, it's unclear why the company did not require two-factor authentication protection before the breach.

  • The spokesperson did not say whether the company ever anticipated that a subset of users with poor cybersecurity practices could put millions of other users' personal data at risk.

Go deeper ... Study: U.S. military members' personal data being sold by online brokers

Go deeper