23andMe Says Hackers Stole Ancestry Data of 6.9M UsersCredential-Stuffing Attack Led to Profile Scraping
Genetics testing firm 23andMe said a credential-stuffing attack this fall resulted in hackers siphoning the ancestry data of 6.9 million individuals.
The company said it is notifying affected users, and it told federal regulators in a Friday filing that the company will incur between $1 million and $2 million in one-time expenses associated with the incident, it said.
23andMe first disclosed the attack on Oct. 1, stating that attackers had scraped the profiles of 23andMe users who opted in to using the company's DNA Relatives feature, which connects users with genetic distant relatives - or other 23andMe users who share bits of DNA (see: 23andMe Investigating Apparent Credential-Stuffing Hack).
The credential-stuffing attack - a technique in which hackers reuse already-leaked credentials in the hopes of finding reused user names and passwords - affected 0.1% of user accounts, the company told regulators. From that launching point, hackers were able to access "a significant number of files containing profile information about other users' ancestry."
Threat actors claimed on the dark web to have stolen "20 million pieces of code" from 23andMe. According to media reports, the leaked data that was put up for sale pertains to 23andMe users with certain DNA ancestry backgrounds, including 1 million lines of code about people with Ashkenazi Jewish DNA ancestry.
A 23andMe spokesperson told Information Security Media Group that the breach affected a total of 6.9 million individuals, roughly half of its 14-million-customer base, including 5.5 million people who shared information through the DNA Relatives feature. Approximately 1.4 million people who opted into DNA Relatives also had their Family Tree profile information accessed. That information contained names, relationship labels, birth year, self-reported location and the user's decision to share their information.
The threat actor claiming to sell hacked 23andMe data, which also included 100,000 Chinese users, according to an estimate from Wired - sought buyers at $1 to $10 per individual account. The same hacker advertised alleged records of another 4 million people on the same forum two weeks later, according to TechCrunch.
The genetic testing firm has since made two-step verification a prerequisite for account logon and is requiring customers to reset their passwords.
The company faces multiple putative class action lawsuits in state and federal jurisdictions, as well as in Canada (see: US Senator Quizzes 23andMe Over Credential-Stuffing Hack).