23andMe Hacked: 23andMe confirms over 7 million users’ DNA data stolen in a massive data breach
DNA data of over 7 million 23andMe users have been stolen in a massive data breach. According to multiple reports, the breach mainly focused on users with Ashkenazi Jewish ancestry and compromised data including names, profile photos, genetic ancestry results, date of birth, and geographical location.
23andMe confirmed the incident last week but said that there wasn’t a data breach. Instead, the popular family genetics website said that the hackers guessed the logins for users and then used an opt-in feature called DNA Relatives to access more data. 23andMe also added that it has reported the incident to law enforcement and is asking all customers to change their passwords and use two-factor authentication.
However, Reuters reported that hackers advertised millions of “pieces of data” stolen from 23andMe, citing posts made to an online forum where digital thieves often advertise leaked data. The hackers are attempting to sell the data, with prices ranging from $1 to $10 per account, depending on the quantity.
NBC News also reported that “a database that has been shared on dark web forums.” In a list viewed by NBC News, the news outlet said that the list contains “999,999 people who allegedly have used the service.”
“It includes their first and last name, sex, and 23andMe’s evaluation of where their ancestors came from. The database is titled “Ashkenazi DNA Data of Celebrities,” though most of the people on it aren’t famous, and it appears to have been sorted to only include people with Ashkenazi heritage,” NBC News reported.
But 23andMe further maintained that its systems remained uncompromised, they noted that hackers might have gathered passwords from other sources, highlighting the risks of using the same password across multiple platforms—a practice known as credential stuffing.
In a statement on Friday, 23andMe said that while an unspecified amount of “customer profile information” had been compiled “through access to individual 23andMe.com accounts,” adding that the company itself had not been breached. “We do not have any indication at this time that there has been a data security incident within our systems,” the statement added.
23andMe is a human genome research company enabling users to study their ancestry, genealogy, and inherited traits. It was founded in 2006 by Linda Avey, Paul Cusenza and Anne Wojcicki to provide genetic testing and interpretation to individual consumers. In 2007, Google invested US$3,900,000 in the company, along with Genentech, New Enterprise Associates, and Mohr Davidow Ventures. Wojcicki was married to Google co-founder Sergey Brin at the time.