Nearly 7 million 23andMe customers had their profile data leaked in a cybersecurity incident in October, a company spokesperson confirmed to SC Media on Monday. The vast majority of the leaked data was scraped from the site’s DNA Relatives feature after hackers used stolen credentials to directly access about 14,000 accounts, which represents 0.1% of users. The information stolen included display names, ancestry reports and sensitive “health-related” information, according to the company.
Details of the cyber incident come on the heels of a Friday filing by 23andMe with the U.S. Securities and Exchange Commission amending a previous 8-K disclosure. The original notification was on Oct. 10 and served to inform investors of a “major events that shareholders should know about,” according to the SEC.
How 23andMe’s leak expanded from 14K to 7M users
A 23andMe said that 5.5 million users had their DNA Relatives profiles leaked, with an additional 1.4 million users having their Family Tree profiles exposed. 23andMe’s DNA Relatives feature enables users to see profile information of other users they are genetically related to. Family Tree profiles are a part of the DNA Relatives feature that contains a limited subset of data. In total, approximately 6.9 million customers using the DNA Relatives feature had some information leaked, 23andMe said.
Threat actors initially accessed 14,000 accounts out of 23andMe’s 14 million customers. By using stolen credentials from other third-party websites adversaries were able to log in to 23andMe customer accounts. The attackers then leveraged accounts to scrape information shared by users who opted into the service’s DNA Relatives feature.
This allowed hackers to expand the scope of data scraped from 23andMe. Each compromised account, according to the company, could potentially have access to data from hundreds or thousands more users. A review of a standard 23andMe account by SC Media revealed a customer had access to 1,500 DNA relatives.
Ashkenazi Jewish community singled out
A user using the alias “Golem” shared data claiming to be leaked 23andMe on a hacker forum. Golem allegedly leaked information from more than 1 million Ashkenazi Jewish users and 300,000 Chinese users on Oct. 1, followed by data from an additional 4.1 million profiles of British and German customers on Oct. 17. Golem claimed to have access to data from more than 7 million users in total.
“We are in the process of notifying affected customers, as required by law,” 23andMe said in a Dec. 1 update.
Sensitive health data leaked in the incident includes a user’s predisposition to type 2 diabetes and Parkinson’s disease. Reports also include a user’s gene carrier status for cystic fibrosis, Tay-Sachs disease and others.
23andMe says it has temporarily disabled some features within the DNA Relatives tool in response to the leak and said in its amended SEC report that it is working to remove all leaked information from public access.
“As of the filing date of this Amendment, the Company believes that the threat actor activity is contained,” the report states.
The company also forced all users to reset their password and encouraged them to use multi-factor authentication on Oct. 9. On Nov. 6, it went a step further and required customers to use email 2-step verification on their accounts. 23andMe says the unauthorized access to its platform was due to credential stuffing attacks where hackers used stolen credentials from unrelated third-party sites. It emphasized there is no indication its own systems were subject to a breach.