The genetic testing company 23andMe experienced a security breach in October that resulted in the personal data of millions of users being accessed by hackers, the company confirmed on Monday. The company launched an investigation after a “threat actor” claimed online to have obtained the profile information of 23andMe users. At the time, it was believed that the hackers targeted accounts of users who had reused usernames and passwords from other compromised sites.
Following the investigation, 23andMe acknowledged in a filing with the Securities and Exchange Commission that the hacker accessed 0.1% of the company’s user accounts. While the attacker only gained access to approximately 14,000 accounts, they exploited a feature that allowed them to view information about possible relatives, thereby accessing the data of millions of users.
As a result of the breach, approximately 5.5 million customers had their “DNA Relatives” profiles accessed in an unauthorized manner, which included information such as display names, predicted relationships with others, and DNA percentages shared with matches. An additional 1.4 million customers participating in the Relatives feature had their “Family Tree” profile information accessed, which is described as a limited subset of the Relatives profile data.
Despite the security breach in October, 23andMe did not disclose the specific number of customers affected until the recent filing with the SEC. The company is currently in the process of notifying the affected customers and has implemented measures to strengthen security. Existing customers are required to reset their passwords and enable two-step verification, while the company assures that the “threat actor activity is contained.”
The significance of this security breach cannot be understated, considering the sensitive nature of genetic and ancestral information. 23andMe’s platform analyzes users’ DNA from saliva samples to provide reports on their ancestry and genetic health risks. Therefore, the unauthorized access to this data constitutes a serious violation of user privacy and underscores the importance of robust cybersecurity measures to protect personal information.
As 23andMe addresses the aftermath of this breach, the company is also taking steps to rebuild customer trust and prevent future security incidents. The breach serves as a sobering reminder of the ongoing and evolving threat posed by cybercriminals to companies that hold vast amounts of personal data. It underscores the urgency for organizations to prioritize cybersecurity and adopt proactive measures to safeguard user information.
In conclusion, the security breach suffered by 23andMe in October highlights the vulnerability of personal data in the digital age and the imperative of stringent security protocols to protect against malicious cyber activities. As technology continues to advance, so too must our efforts to defend against potential threats and ensure the privacy and security of individuals’ sensitive information.