23andMe Confirms Hackers Stole Ancestry Data on 6.9 Million Users – AI-Tech Report

The data stolen in this breach includes personal information, such as names, birth years, relationship labels, and the percentage of DNA shared with relatives. Additionally, ancestry reports and self-reported locations were compromised. For those who had opted-in to the DNA Relatives feature, this breach also involved access to family tree profile information, including display names, birth years, and self-reported locations.

Additional Groups Impacted

There are two additional groups of users who were impacted by this data breach. The first group consists of individuals who opted-in to the DNA Relatives feature, which allows for the automatic sharing of data with others. The second group includes those with accessed family tree profiles, regardless of whether they had opted-in or not. The breach had a far-reaching effect on these groups, significantly expanding the number of affected individuals beyond the originally reported 14,000.

Disclosure of Numbers

Upon initially disclosing the data breach in early October, 23andMe failed to provide the full extent of the impact. While they did admit that the breach affected a significant number of users, they did not provide precise figures. This lack of transparency generated backlash and raised concerns among those who were potentially affected. It is important for companies to promptly disclose the scope of such incidents to properly inform and protect their users.

Scope of the Data Breach

With approximately 6.9 million users affected, this breach has had a significant impact on a large proportion of 23andMe’s customer base. Furthermore, this breach aligns with previous claims made by a hacker on a well-known hacking forum, who had advertised stolen DNA information of 23andMe users. This suggests that multiple breaches may have occurred, further compounding the potential damage caused by unauthorized access to sensitive genetic and personal data.

Hacker’s Claims

The hacker responsible for this breach made several claims regarding their activity. They disclosed that they had stolen the DNA information of 23andMe users, specifically targeting individuals of Jewish Ashkenazi descent and Chinese users. The hacker offered to sell this data on the hacking forum, with prices ranging from $1 to $10 per individual account. Subsequent claims from additional hackers and the discovery of leaked data supported the authenticity of the breach.

Evidence of Authenticity

In an effort to verify the authenticity of the leaked data, TechCrunch analyzed the information and discovered similarities between the leaked genetic data and data published online by hobbyists and genealogists. While the formats differed, some unique user and generic data overlapped, suggesting that at least a portion of the leaked data was authentic 23andMe customer information. This evidence supports the fact that unauthorized access to sensitive data occurred during the breach.

Cause of Data Breach

According to 23andMe, the data breach was caused by customers reusing passwords on multiple platforms. This practice allowed the hackers to exploit publicly known passwords released in previous data breaches from other companies. By gaining access to one individual’s account through brute force methods, the hackers were able to access not only the victim’s personal data but also the data of their relatives. This method expanded the total number of individuals affected by the breach.

Impact on Relatives

The DNA Relatives feature offered by 23andMe played a significant role in magnifying the impact of this data breach. By hacking into one individual’s account, the hackers were able to access personal data not only for the account holder but also their relatives. This exposed a much larger pool of individuals to potential privacy risks and compromised their sensitive genetic and personal information.

In conclusion, the data breach experienced by 23andMe has had significant implications for its user base, impacting approximately 6.9 million individuals. The theft of personal and genetic information, along with the exposure of family tree profiles, raises concerns about privacy and the security of sensitive data. Companies must prioritize transparency and take necessary precautions to safeguard user information to prevent such breaches in the future.