Genetic testing giant 23andMe has confirmed a data scraping incident in which hackers gained access to sensitive user information and subsequently offered it for sale on the dark web. This breach exposed the data of nearly 7 million 23andMe users, including origin estimations, phenotype details, health information, photos, identification data, and more. 23andMe primarily processes saliva samples submitted by customers to determine their ancestry.
Initially, the company denied the legitimacy of the data being sold, labeling it a “misleading claim.” However, 23andMe later acknowledged that certain user profile information was obtained through unauthorized access to individual accounts linked to the DNA Relative feature. This feature allows users to opt in to see potential matches for relatives.
The company clarified that there is no evidence of a data security breach within its systems. Instead, preliminary findings suggest that the threat actor may have gathered login credentials from data leaks on other online platforms where users had reused their login information.
The spokesperson for 23andMe explained that the threat actor likely accessed a limited number of 23andMe accounts and scraped data from their DNA Relative matches. However, the specific number of affected accounts was not disclosed.
Users who opted into DNA Relatives can view basic profile information of others who have made their profiles visible to DNA Relative participants. Genetically related users can access ancestry information, as indicated during the creation of their DNA Relatives profile.
As the investigation progresses, 23andMe plans to determine the best approach for notifying impacted customers.
‘A botch job’
This incident highlights the vulnerability of a company’s customer data, even when intruders do not penetrate deep into its network.
A researcher, who examined the leaked database, discovered that much of the data appeared to be authentic. He spoke on condition of anonymity as he found his wife’s and several family members’ information in the leaked dataset. He also verified the accuracy of information related to other acquaintances.
The researcher downloaded two files from the BreachForums post. One file contained data on 1 million 23andMe users of Ashkenazi heritage, while the other included information on over 300,000 users of Chinese heritage. The data included profile and account ID numbers, names, gender, birth years, maternal and paternal genetic markers, ancestral heritage results, and whether each user had opted into 23andMe’s health data.
It appears that the information was scraped from user profiles intended to be shared only with DNA Matches. While this leak did not contain genomic sequencing data, it still contained data that should not be accessible to the public.
The researcher expressed concerns that 23andMe downplayed the significance of this data breach, suggesting that users could avoid sharing such information by not opting into the DNA Relatives feature. However, he emphasized the importance of protecting this data, which should only be viewable to DNA relatives and not the general public. He also mentioned that the hacker might possess more unreleased data.
Additionally, the researcher discovered a security issue that allowed anyone to enter a 23andMe profile ID into their URL and access someone’s profile. This information included profile photos, names, birth years, and locations but did not include test results.
The researcher criticized 23andMe for having such a significant loophole in its website design and security, especially considering the sensitive nature of genetic data and personal information. He attempted to contact 23andMe, but the company’s responses did not acknowledge the severity of the issue.
In recent weeks, genetic testing companies, including 23andMe, have faced regulatory scrutiny regarding their security policies. Genetic testing firm 1Health.io recently agreed to pay a $75,000 fine to the Federal Trade Commission (FTC) over allegations of failing to secure sensitive genetic and health data, retroactively changing its privacy policy without customer consent, and misleading customers about data deletion options.
Read More Tech News: