23andMe data leak

Last updated

The 23andMe data leak was a data breach at personal genomics company 23andMe reported in October 2023. The cyberattack gathered profile and ethnicity information from millions of users. The affected customers were reported as primarily Ashkenazi Jews but also including hundreds of thousands of ethnically Chinese users. [1] The hacker(s) stole information customers had chosen to share with their DNA matches, which could include name, profile photo, birth year, location, family surnames, grandparents' birthplaces, ethnicity estimates, mitochondrial DNA haplogroup, Y-chromosome DNA haplogroup, link to external family tree, and any text content a customer had optionally included in their "About" section. On December 4, 2023, the company confirmed that the hacker(s) had illicitly accessed data on approximately 6.9 million users.

Contents

Background

In October 2023, Wired reported that a sample of data points from 23andMe accounts were exposed on BreachForums, a black-hat hacking crime forum. [1]

23andMe confirmed to TechCrunch that because of an opt-in feature that allows DNA-related relatives to contact each other, the true number of people exposed was 6.9 million, nearly half of 23andMe’s 14 million reported customers. [2] [3]

One batch of data was advertised on a hacking forum as a list of Ashkenazi Jews, and another as list of people of Chinese descent, sparking concerns about targeted attacks. [4] [5]

Attack

In October 2023, a hacker known as Golem claimed to have hijacked the profile information of millions of users from 23andMe. [6] [7] The attack, acknowledged by the company, was a result of hacking techniques including 'credential stuffing' to gain unauthorised access to the profile information of millions of users. [2] The compromised data included personal information on user profiles, raising concerns about privacy.

Response

In October 2023, some impacted users filed a class action lawsuit in California alleging "Negligence, Breach of Implied Contract, Invasion of Privacy and Unjust Enrichment." [8] That same month, a 23andMe spokesperson told TechCrunch that the company was “reviewing the data to determine if it is legitimate.” [9] 23andMe "temporarily disabled some features within the DNA Relatives tool," [10] preventing customers from seeing the chromosome browser or shared DNA matches. 23andMe disabled the ability for users to download their raw data. In December 2023, 23andMe updated its terms of service to prevent class action lawsuits. [11]

The company ordered a thorough investigation, through which it confirmed that the data was stolen via a credential stuffing attack. The investigation also revealed that there is no evidence of a cyber security incident on the company's IT systems. Those who had their data stolen had opted in to the ‘DNA relatives’ feature, which allowed the malicious actor(s) to scrape their data from their profiles. [9] [12]

The breach prompted legal scrutiny, with Connecticut's attorney general pressing 23andMe for answers. He asserted that the breach resulted in the targeted exfiltration and sale of at least one million data profiles on the black market. [13]

In this same timeframe, Ancestry.com and MyHeritage began requiring two-factor authentication [14]

See also

Related Research Articles

A genealogical DNA test is a DNA-based genetic test used in genetic genealogy that looks at specific locations of a person's genome in order to find or verify ancestral genealogical relationships, or to estimate the ethnic mixture of an individual. Since different testing companies use different ethnic reference groups and different matching algorithms, ethnicity estimates for an individual vary between tests, sometimes dramatically.

<span class="mw-page-title-main">23andMe</span> American personal genomics company

23andMe Holding Co. is a publicly trading personal genomics and biotechnology company based in South San Francisco, California. It is best known for providing a direct-to-consumer genetic testing service in which customers provide a saliva sample that is laboratory analysed, using single nucleotide polymorphism genotyping, to generate reports relating to the customer's ancestry and genetic predispositions to health-related topics. The company's name is derived from the 23 pairs of chromosomes in a diploid human cell.

A data breach is a security violation, in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen, altered or used by an individual unauthorized to do so. Other terms are unintentional information disclosure, data leak, information leakage and data spill. Incidents range from concerted attacks by individuals who hack for personal gain or malice, organized crime, political activists or national governments, to poorly configured system security or careless disposal of used computer equipment or data storage media. Leaked information can range from matters compromising national security, to information on actions which a government or official considers embarrassing and wants to conceal. A deliberate data breach by a person privy to the information, typically for political purposes, is more often described as a "leak".

MyHeritage is an online genealogy platform with web, mobile, and software products and services, introduced by the Israeli company MyHeritage in 2003. Users of the platform can obtain their family trees, upload and browse through photos, and search through over 19.4 billion historical records, among other features.

<span class="mw-page-title-main">Credit card fraud</span> Financial crime

Credit card fraud is an inclusive term for fraud committed using a payment card, such as a credit card or debit card. The purpose may be to obtain goods or services or to make payment to another account, which is controlled by a criminal. The Payment Card Industry Data Security Standard is the data security standard created to help financial institutions process card payments securely and reduce card fraud.

A supply chain attack is a cyber-attack that seeks to damage an organization by targeting less secure elements in the supply chain. A supply chain attack can occur in any industry, from the financial sector, oil industry, to a government sector. A supply chain attack can happen in software or hardware. Cybercriminals typically tamper with the manufacturing or distribution of a product by installing malware or hardware-based spying components. Symantec's 2019 Internet Security Threat Report states that supply chain attacks increased by 78 percent in 2018.

LastPass is a password manager application owned by GoTo. The standard version of LastPass comes with a web interface, but also includes plugins for various web browsers and apps for many smartphones. It also includes support for bookmarklets.

The 2011 PlayStation Network outage was the result of an "external intrusion" on Sony's PlayStation Network and Qriocity services, in which personal details from approximately 77 million accounts were compromised and prevented users of PlayStation 3 and PlayStation Portable consoles from accessing the service. The attack occurred between April 17 and April 19, 2011, forcing Sony to deactivate the PlayStation Network servers on April 20. On May 4, Sony confirmed that personally identifiable information from each of the 77 million accounts had been exposed. The outage lasted 23 days.

Kiteworks, formerly known as Accellion, Inc., is an American technology company that secures sensitive content communications over channels such as email, file share, file transfer, managed file transfer, web forms, and application programming interfaces. The company was founded in 1999 in Singapore and is now based in San Mateo, California.

The Anthem medical data breach was a medical data breach of information held by Elevance Health, known at that time as Anthem Inc.

In July 2015, an unknown person or group calling itself "The Impact Team" announced they had stolen the user data of Ashley Madison, a commercial website billed as enabling extramarital affairs. The hacker(s) copied personal information about the site's user base and threatened to release users' names and personal identifying information if Ashley Madison would not immediately shut down. As evidence of the seriousness of the threat, the personal information of about more than 2,500 users was initially released. The company initially denied that their records were insecure, and continued to operate.

Credential stuffing is a type of cyberattack in which the attacker collects stolen account credentials, typically consisting of lists of usernames or email addresses and the corresponding passwords, and then uses the credentials to gain unauthorized access to user accounts on other systems through large-scale automated login requests directed against a web application. Unlike credential cracking, credential stuffing attacks do not attempt to use brute force or guess any passwords – the attacker simply automates the logins for a large number of previously discovered credential pairs using standard web automation tools such as Selenium, cURL, PhantomJS or tools designed specifically for these types of attacks, such as Sentry MBA, SNIPR, STORM, Blackbullet and Openbullet.

The Internet service company Yahoo! was subjected to the largest data breach on record. Two major data breaches of user account data to hackers were revealed during the later half of 2016. The first announced breach, reported in September 2016, had occurred sometime in late 2014, and affected over 500 million Yahoo! user accounts. A separate data breach, occurring earlier around August 2013, was reported in December 2016. Initially believed to have affected over 1 billion user accounts, Yahoo! later affirmed in October 2017 that all 3 billion of its user accounts were impacted. Both breaches are considered the largest discovered in the history of the Internet. Specific details of material taken include names, email addresses, telephone numbers, encrypted or unencrypted security questions and answers, dates of birth, and hashed passwords. Further, Yahoo! reported that the late 2014 breach likely used manufactured web cookies to falsify login credentials, allowing hackers to gain access to any account without a password.

<span class="mw-page-title-main">Investigative genetic genealogy</span> Application of genealogy in a legal setting

Investigative genetic genealogy, also known as forensic genetic genealogy, is the emerging practice of utilizing genetic information from direct-to-consumer companies for identifying suspects or victims in criminal cases. As of December 2023, the use of this technology has solved a total of 651 criminal cases, including 318 individual perpetrators who were brought to light. There have also been 464 decedents identified, as well as 4 living does. The investigative power of genetic genealogy revolves around the use of publicly accessible genealogy databases such as GEDMatch and FamilyTreeDNA. On GEDMatch, users are able to upload their genetic data from any direct-to-consumer company in an effort to identify relatives that have tested at companies other than their own.

<span class="mw-page-title-main">Okta, Inc.</span> American information technology company

Okta, Inc. is an American identity and access management company based in San Francisco. It provides cloud software that helps companies manage and secure user authentication into applications, and for developers to build identity controls into applications, website web services and devices. It was founded in 2009 and had its initial public offering in 2017, being valued at over $6 billion.

ShinyHunters is a criminal black-hat hacker group that is believed to have formed in 2020 and is said to have been involved in numerous data breaches. The stolen information is often sold on the dark web.

<span class="mw-page-title-main">2021 Epik data breach</span> 2021 cybersecurity incident

The Epik data breach occurred in September and October 2021, targeting the American domain registrar and web hosting company Epik. The breach exposed a wide range of information including personal information of customers, domain history and purchase records, credit card information, internal company emails, and records from the company's WHOIS privacy service. More than 15 million unique email addresses were exposed, belonging to customers and to non-customers whose information had been scraped. The attackers responsible for the breach identified themselves as members of the hacktivist collective Anonymous. The attackers released an initial 180 gigabyte dataset on September 13, 2021, though the data appeared to have been exfiltrated in late February of the same year. A second release, this time containing bootable disk images, was made on September 29. A third release on October 4 reportedly contained more bootable disk images and documents belonging to the Texas Republican Party, a customer of Epik's.

References

  1. 1 2 Newman, Lily Hay. "23andMe User Data Stolen in Targeted Attack on Ashkenazi Jews". Wired. ISSN   1059-1028 . Retrieved 2023-12-15.
  2. 1 2 Helmore, Edward (2023-12-05). "Genetic testing firm 23andMe admits hackers accessed DNA data of 7m users". The Guardian. ISSN   0261-3077 . Retrieved 2023-12-15.
  3. "23andMe: Profiles of 6.9 million people hacked". 2023-12-05. Retrieved 2023-12-15.
  4. Klosowski, Thorin (2023-10-20). "What to Do If You're Concerned About the 23andMe Breach". Electronic Frontier Foundation. Retrieved 2023-12-15.
  5. "23andMe user data targeting Ashkenazi Jews leaked online". NBC News. 2023-10-07. Retrieved 2023-12-15.
  6. DeGeurin, Mack (2024-02-15). "Hackers got nearly 7 million people's data from 23andMe. The firm blamed users in 'very dumb' move". the Guardian. Retrieved 2024-02-17. Worse, he later learned of a hacker going by the pseudonym "Golem" who had offered to sell the names, addresses and genetic heritage reportedly belonging to 1 million 23andMe customers
  7. "Mcafee blog".
  8. CIVIL DOCKET FOR CASE #: 3:23-cv-05147-EMC
  9. 1 2 Powell, Olivia (2023-10-20). "23andMe hacker data profiles of 4.1 million users". Cyber Security Hub. Retrieved 2023-12-15.
  10. as described to customers on the DNA Relatives page
  11. After hack, 23andMe gives users 30 days to opt out of class-action waiver
  12. www.ETCISO.in. "Biotech firm 23andMe user data stolen in credential-stuffing attack - ET CISO". ETCISO.in. Retrieved 2023-12-15.
  13. Katersky, Aaron. "Connecticut attorney general presses 23andMe for data breach answers". ABC News. Retrieved 2023-12-15.
  14. 23andMe data theft prompts DNA testing companies to switch on 2FA by default
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.