An SEC filing has revealed extra particulars on a data breach affecting 23andMe users that was disclosed earlier this fall. The corporate says its investigation discovered hackers have been capable of entry the accounts of roughly 0.1 % of its userbase, or about 14,000 of its 14 million complete clients, TechCrunch notes. On prime of that, the attackers have been capable of exploit 23andMe’s opt-in DNA Family members (DNAR) characteristic, which matches customers with their genetic relations, to entry details about tens of millions of different customers. A 23andMe spokesperson instructed Engadget that hackers accessed the DNAR profiles of roughly 5.5 million clients this manner, plus Household Tree profile data from 1.4 million DNA Relative members.
DNAR Profiles include delicate particulars together with self-reported data like show names and places, in addition to shared DNA percentages for DNA Family members matches, household names, predicted relationships and ancestry experiences. Household Tree profiles include show names and relationship labels, plus different data {that a} consumer might select so as to add, together with delivery yr and site. When the breach was first revealed in October, the corporate stated its investigation “discovered that no genetic testing outcomes have been leaked.”
In response to the brand new submitting, the info “typically included ancestry data, and, for a subset of these accounts, health-related data based mostly upon the consumer’s genetics.” All of this was obtained via a credential-stuffing assault, during which hackers used login data from different, beforehand compromised web sites to entry these customers’ accounts on different websites. In doing this, the submitting says, “the menace actor additionally accessed a major variety of recordsdata containing profile details about different customers’ ancestry that such customers selected to share when opting in to 23andMe’s DNA Family members characteristic and posted sure data on-line.”
Following the invention of the breach, 23andMe instructed affected customers to vary their passwords and later rolled out two-factor authentication for all of its clients. In one other replace on Friday, 23andMe stated it had accomplished the investigation and is notifying everybody who was affected. The corporate additionally wrote within the submitting that it “believes that the menace actor exercise is contained,” and is working to have the publicly-posted data taken down.
Replace, December 2 2023, 7:03PM ET: This story has been up to date to incorporate data offered by a 23andMe spokesperson on the scope of the breach and the variety of DNA Relative members affected.
This text initially appeared on Engadget at https://www.engadget.com/23andme-hackers-accessed-ancestry-information-from-thousands-of-customers-and-their-dna-relatives-205758731.html?src=rss
Trending Merchandise