In October we reported that the data of as many as seven million 23andMe customers were for sale on criminal forums following a password attack against the genomics company.
Now, a filing with the US Securities and Exchange Commission (SEC) has provided some more insight into the data theft. The filed amendment supplements the original Form 8-K submitted by 23andMe.
The amendment says that an investigation showed that the attacker was able to directly access the accounts of roughly 0.1% of 23andMe's users, which is about 14,000 of its 14 million customers. The attacker accessed the accounts using credential stuffing which is where someone tries existing username and password combinations to see if they can log in to a service. These combinations are usually stolen from another breach and then put up for sale on the dark web. Because people often reuse passwords across accounts, cybercriminals buy those combinations and then use them to login on other services and platforms.
With the breached accounts at their disposal, the attacker used 23andMe’s opt-in DNA Relatives (DNAR) feature—which matches users with their genetic relatives—to access information about millions of other users. According to a spokesperson the DNAR profiles of roughly 5.5 million customers could be accessed in this way, plus the Family Tree profile information of 1.4 million additional DNA Relative participants.
The 5.5 million DNAR Profiles contained sensitive details including self-reported information like display names and locations, as well as shared DNA percentages for DNA Relatives matches, family names, predicted relationships, and ancestry reports.
For a subset of these accounts, the stolen data might contain health-related information based upon the user’s genetics.
The 1.4 million Family Tree profiles contain display names and relationship labels, plus other information that a user may have added, including birth year and location.
23andMe is in the process of notifying users impacted by the incident. The company said it believes that the attacker activity is contained, and that it is working to have the publicly-posted information taken down.
When the breach was first announced, 23andMe urged its users to ensure they have strong passwords, to avoid reusing passwords from other sites, and to enable multi-factor authentication (MFA).
Our Mark Stockley noted at the time:
> “Respectfully, we would like to see 23andMe reach a different conclusion. Telling users to choose strong passwords and not to reuse them is great advice that just isn’t working. It’s good in theory but fails in practice. In a world where users have tens or even hundreds of logins to manage, password reuse and weak passwords that are easy to remember are inevitable.”
And it looks as if they listened to us. On the 23andMe blog the updated article about the breach now says:
> “We have taken steps to further protect customer data, including requiring all existing customers to reset their password and requiring two-step verification for all new and existing customers. The company will continue to invest in protecting our systems and data.”
There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.
We don't just report on threats - we help safeguard your entire digital identity
Cybersecurity risks should never spread beyond a headline. Protect your—and your family's—personal information by using Malwarebytes Identity Theft Protection.