According to a statement by the company, the breach affected 5.5 million 23andMe users who enabled the DNA Relatives feature, which matches members with people whose genetic makeups are similar to their own. Meanwhile, the family trees of a further 1.4 million individuals were accessed.
The cyber attack was carried out using a method known as credential stuffing. This entails logging into a website using account information that was obtained via previous security breaches. For example, when a website is breached and user passwords are compromised, cyber criminals can use brute force to attempt to log into other websites using the same combination of usernames or e-mail address and passwords. This is why internet users are advised not to reuse the same password across multiple services.
In this case, credential stuffing was used to access the 14,000 users who were initially reported as part of the breach. Once those accounts were accessed, the cyber criminals used the DNA Relatives feature to access information from millions of additional users who shared ancestry with those who were initially compromised.
The company said in a statement: "We do not have any indication that there has been a breach or data security incident within our systems, or that 23andMe was the source of the account credentials used in these attacks."
The site's security issues go back to at least October, when they confirmed that information belonging to their users was being sold on the dark web. Shortly thereafter, they announced they were investigating claims made by a hacker that they had leaked 4 million genetic profiles from some of the wealthiest individuals in the U.S. as well as Western Europe.
One hacker published what they claimed was the data of a million users who have Jewish Ashkenazi descent and 100,000 users with Chinese heritage to prove they had hacked the accounts.
Some of the data that was exposed in the latest attack included display names, the amount of DNA that users share with the individuals matched to them by the system, ancestry reports, people's predicted relationships with other people, ancestor birth locations, profile pictures, family names and self-reported locations.
The company has said that it is currently in the process of notifying all of the users who are affected by the attack. They have also issued warnings to their users to create new passwords. In addition, they have implemented two-step authentication for all users; this extra security measure was optional on the site in the past.
Many people are surprised that the company wasn’t already using two-factor authentication and other account protections, and 23andMe has not yet answered questions about whether they anticipated the possibility that a subset of users who do not adhere to cybersecurity best practices could place the personal data of millions of other users at risk.
However, it is also important for people who put this information out there to understand the very real potential for their private data to be breached. These days, the best approach is to assume that any information that is shared with companies online could potentially be stolen and shared with the world. When it comes to DNA tests in particular, however, users should consider just how valuable this type of data is to cyber criminals and proceed accordingly.
Sources for this article include: