In some cases, the information hackers were able to steal included family trees, birth years and geographic locations, reported 23andMe.
After weeks of speculation, 23andMe publicly acknowledged that more than half of its customers had been affected by the security breach. The DNA testing firm declared that the stolen data did not include DNA records.
23andMe is one of the biggest names in the growing ancestor-tracing industry. It offers customers genetic testing with ancestry breakdown and personalized health insights.
The South San Francisco-based biotechnology company was not hacked itself, but cyber-criminals were able to log in to about 14,000 individual accounts belonging to 0.1 percent of 23andMe customers, by using email and password details previously exposed by other cyber attacks.
The hackers used a technique called credential stuffing, which allowed them to use old usernames and passwords from other websites to break into 23andMe customer accounts. A 23andMe spokesperson did not respond to questions about who was behind the cyber attack.
"23andMe has completed its investigation, assisted by third-party forensics experts. We are in the process of notifying affected customers, as required by law," read a statement posted on the company’s website.
23andMe also said that it has taken precautionary measures to protect customer data, including "requiring all existing customers to reset their password and requiring two-step verification for all new and existing customers."
23andMe previously acknowledged that after accessing the user accounts, the hackers were able to find their way into "a significant number of files containing profile information about other users' ancestry."
The hackers downloaded data from those accounts, including the private information of all other users they had links to across the family trees on the website.
The 23andMe stolen data includes information like customer names, how each person is linked, and, in some cases, birth years, locations, pictures, addresses and the percentage of DNA customers shared with their relatives.
Additionally, the hackers were able to access the family tree profile information of about 1.4 million other customers who participated in the DNA relatives feature, including display names and relationship labels.
Following the cyber attack, one batch of data was advertised on a hacking forum as a list of people with Jewish ancestry. This raised concerns about targeted attacks against Jews.
However, there is currently no evidence that any of the datasets have been bought or used by criminals.
Oz Alashe, CEO of risk management platform CybSafe, said that the data breach at 23andMe highlights the importance of "improving cyber-security behaviors in the general population."
Alashe added that poorly secured accounts "with weak passwords and no two-factor authentication, put all those sharing their sensitive data at risk."
For now, 23andMe said it will contact all affected customers and require others to update their passwords and improve their account security. (Related: AI and genetic engineering could trigger a “super-pandemic,” warns AI expert.)
However, the breach came as no surprise to Ramesh Srinivasan, a professor at the University of California, Los Angeles (UCLA) Department of Information Studies, because such incidents are becoming increasingly common.
Srinivasan also warned that it is "always possible for information to be stolen when it is provided to a third party."
"Should we be providing data that is so personal and so intimate to an organization that, largely speaking, only has a strong allegiance to their investors and their boards?"
Visit Glitch.news to read more stories about scams and cyber attacks.
Watch the video below for a cyber attack warning from InfoWars.
This video is from the EARTH SHAKING NEWS channel on Brighteon.com.
Biometric data and surveillance: DNA being eyed as the “ultimate global ID.”
DNA hacking? Hackers targeted users of DNA testing firm 23andMe.
Sources include: