23andMe Admits To Major Security Breach Of User Data

23andMe, a global genetics testing firm with millions of clients, admitted to the SEC in a filing that it suffered a massive data breach that exposed its customers to bad actors.

Most of those whose data was revealed utilized the DNA Relatives feature of the service.

The genetics testing and analysis company told the agency that a portion of its user base was affected. Hackers were able to access some 14,000 of the entity’s 14 million clients, which totaled approximately 0.1% of its users.

Though that number appears rather miniscule, hackers were successful in accessing the DNAR data of roughly 5.5 million customers. They additionally were able to obtain Family Tree information on 1.4 million users.

This trove of data included display names, locations, family names, DNA percentages, ancestry reports and predicted relationships. There was also information on birth years and locations.

When initial news of the breach broke in October, 23andMe said that it “found that no genetic testing results had been leaked.”

The SEC filing told a different story. The company revealed that the hacked data “generally included ancestry information, and, for a subset of those accounts, health-related information based on the user’s genetics.”

Investigators described the method of entry as credential-stuffing. This involves using information hacked from other compromised accounts to attempt to gain entry to the 23andMe data.

The breach prompted at least one state attorney general to demand answers from the popular site. The query from Connecticut AG William Tong (D) came after the news that hackers apparently targeted persons with Ashkenazi Jewish and Chinese heritage.

He reported the hack led to the sale of at least one million data profiles of people with Ashkenazi Jewish heritage on the dark web.

It is also believed that the profiles of hundreds of thousands of people with Chinese ancestry were compromised. In a letter to 23andMe, Tong cited recent hate incidents as a cause for concern.

The AG said “the increased frequency of antisemitic and anti-Asian rhetoric and violence in recent years means that this may be a particularly dangerous time for such targeted information to be released to the public.”