Genetic testing company 23andMe revealed on Friday that approximately 14,000 customer accounts were compromised in a recent data breach. The disclosure was made in a filing with the U.S. Securities and Exchange Commission, where the company stated that hackers had gained access to 0.1% of its customer base. With over 14 million customers globally, this equates to around 14,000 affected accounts.
In addition to the breached accounts, the hackers were able to obtain “a significant number of files” containing profile information about other users’ ancestry who had opted into 23andMe’s DNA Relatives feature. The company did not specify the exact number of files or impacted users.
The data breach, which occurred in early October, involved hackers using the common technique of “credential stuffing” to gain unauthorized access to user accounts. Notably, the impact extended beyond the directly affected accounts. 23andMe’s DNA Relatives feature allows users to share information with others, meaning that by accessing one victim’s account, hackers could view the personal data of individuals connected to that user.
For the initial 14,000 compromised users, the stolen data included ancestry information and, for a subset, health-related information based on their genetics. The company emphasized that the breach did not expose all users to the same extent, as the stolen information varied.
After the breach, 23andMe took measures to enhance security. Users were required to reset passwords on October 10, and the company encouraged the adoption of multi-factor authentication. Subsequently, on November 6, 23andMe mandated the use of two-step verification for all users.
The disclosure of this breach follows the trend in the DNA testing industry, with other companies like Ancestry and MyHeritage implementing two-factor authentication measures in response to the heightened security risks.
