23andMe data leak

Last updated

The 23andMe data leak was a data breach at personal genomics company 23andMe reported in October 2023. The cyberattack gathered profile and ethnicity information from millions of users. The affected customers were reported to be not only primarily Ashkenazi Jews but also including hundreds of thousands of ethnically Chinese users. [1] The hacker(s) stole information customers had chosen to share with their DNA matches, which could include their name, profile photo, birth year, location, family surnames, grandparents' birthplaces, ethnicity estimates, mitochondrial DNA haplogroup, Y-chromosome DNA haplogroup, link to external family tree, and any text content a customer had optionally included in their "About" section. On October 6, 2023, the company confirmed that the hacker(s) had illicitly accessed data on approximately 6.9 million users.

Contents

Background

In October 2023, Wired reported that a sample of data points from 23andMe accounts were exposed on BreachForums, a black-hat hacking crime forum. [1]

23andMe confirmed to TechCrunch that because of an opt-in feature that allows DNA-related relatives to contact each other, the true number of people exposed was 6.9 million, nearly half of 23andMe’s 14 million reported customers. [2] [3]

One batch of data was advertised on a hacking forum as a list of Ashkenazi Jews, and another as list of people of Chinese descent, sparking concerns about targeted attacks. [4] [5]

Attack

In October 2023, a hacker known as Golem claimed to have hijacked the profile information of millions of users from 23andMe. [6] [7] The attack, acknowledged by the company, was a result of hacking techniques including 'credential stuffing' to gain unauthorised access to the profile information of millions of users. [2] Celebrities were named in the allegedly hacked data entries, including Elon Musk and Mark Zuckerberg. [8] The compromised data included personal information on user profiles, raising concerns about privacy.

In October 2023, some impacted users filed a class action lawsuit in California alleging "Negligence, Breach of Implied Contract, Invasion of Privacy and Unjust Enrichment." [9]

In January 2024, a separate class action lawsuit against 23andMe was filed, alleging that the company failed to notify customers of Chinese and Ashkenazi Jewish heritage that their genetic information had been bundled in "specially curated lists" and offered for sale on the dark web. [10] In September 2024, 23andMe agreed to settle the lawsuit for $30 million. [11]

The breach prompted legal scrutiny, with Connecticut's attorney general pressing 23andMe for answers. He asserted that the breach resulted in the targeted exfiltration and sale of at least one million data profiles on the black market. [12]

A joint Canadian UK investigation determined that 23andMe didn't have adequate data protections and ignored warning signs. [13] The joint investigation of Canada's Privacy Commissioner and the UK's Information Commissioner's Office (ICO) resulted in 23andMe being fined £2.31 million (GBP) by the ICO. [14] [15] [16]

Company response

In October 2023, a 23andMe spokesperson told TechCrunch that the company was "reviewing the data to determine if it is legitimate." [17] 23andMe "temporarily disabled some features within the DNA Relatives tool," [18] preventing customers from seeing the chromosome browser or shared DNA matches. 23andMe disabled the ability for users to download their raw data.

In December 2023, 23andMe updated its terms of service to prevent class action lawsuits. [19] After the hack, 23andMe gave users 30 days to opt out of class-action waiver.

The company ordered a thorough investigation, through which it confirmed that the data was stolen via a credential stuffing attack. The investigation also revealed that there is no evidence of a cyber security incident on the company's IT systems. Those who had their data stolen had opted in to the ‘DNA relatives’ feature, which allowed the malicious actor(s) to scrape their data from their profiles. [17] [20]

However, the company was criticized for blaming customers for not changing their passwords. [21]

In this same timeframe, 23andMe began requiring two-factor authentication, along with Ancestry.com and MyHeritage, out of security concerns following the breach. [22]

See also

References

  1. 1 2 Newman, Lily Hay. "23andMe User Data Stolen in Targeted Attack on Ashkenazi Jews". Wired. ISSN   1059-1028 . Retrieved 2023-12-15.
  2. 1 2 Helmore, Edward (2023-12-05). "Genetic testing firm 23andMe admits hackers accessed DNA data of 7m users". The Guardian. ISSN   0261-3077 . Retrieved 2023-12-15.
  3. "23andMe: Profiles of 6.9 million people hacked". 2023-12-05. Retrieved 2023-12-15.
  4. Klosowski, Thorin (2023-10-20). "What to Do If You're Concerned About the 23andMe Breach". Electronic Frontier Foundation. Retrieved 2023-12-15.
  5. Collier, Kevin (2023-10-07). "23andMe user data targeting Ashkenazi Jews leaked online". NBC News. Retrieved 2023-12-15.
  6. DeGeurin, Mack (2024-02-15). "Hackers got nearly 7 million people's data from 23andMe. The firm blamed users in 'very dumb' move". the Guardian. Retrieved 2024-02-17. Worse, he later learned of a hacker going by the pseudonym "Golem" who had offered to sell the names, addresses and genetic heritage reportedly belonging to 1 million 23andMe customers
  7. "Mcafee blog".
  8. Pequeño IV, Antonio (October 6, 2023). "23andMe User Data Stolen And Listed For Sale In Attack Targeting Ashkenazi Jews". Forbes.
  9. "Santana et al v. 23andMe, Inc. - CIVIL DOCKET FOR CASE #: 3:23-cv-05147-EMC". 2023-10-09.
  10. Carballo, Rebecca; Schmall, Emily; Tumin, Remy (2024-01-26). "23andMe Breach Targeted Jewish and Chinese Customers, Lawsuit Says". The New York Times . p. A16. Archived from the original on 2024-01-30. Retrieved 2025-06-25.
  11. Roth, Emma (2024-09-13). "23andMe agrees to pay $30 million to settle lawsuit over massive data breach". The Verge . Archived from the original on 2025-06-17. Retrieved 2025-06-25.
  12. Katersky, Aaron (2023-10-31). "Connecticut attorney general presses 23andMe for data breach answers: The breach exposed Chinese and Ashkenazi Jewish user info on the dark web". ABC News. Archived from the original on 2023-11-01. Retrieved 2023-12-15.
  13. Major, Darren (2025-06-17). "23andMe 'failed to take basic steps' to protect private information, investigation finds: Hackers accessed nearly 7 million customers' data in 2023 breach". CBC News. Archived from the original on 2025-06-17.
  14. "Backgrounder: Summary of joint investigation into data breach at 23andMe by the Privacy Commissioner of Canada and the UK Information Commissioner". Privacy Commissioner of Canada. 2025-06-17. Archived from the original on 2025-06-18.
  15. "23andMe fined £2.31 million for failing to protect UK users' genetic data". Information Commissioner's Office. 2025-06-17. Archived from the original on 2025-06-17.
  16. Duball, Joe (2025-06-17). "23andMe fined 2.31M GBP after UK, Canada data security probe". International Association of Privacy Professionals. Archived from the original on 2025-06-18.
  17. 1 2 Powell, Olivia (2023-10-20). "23andMe hacker data profiles of 4.1 million users". Cyber Security Hub. Archived from the original on 2023-10-20. Retrieved 2023-12-15.
  18. as described to customers on the DNA Relatives page
  19. Ashley, Belanger (2023-12-06). "After hack, 23andMe gives users 30 days to opt out of class-action waiver: Anyone who fails to opt out "will be deemed to have agreed to the new terms."". Ars Technica. Archived from the original on 2023-12-06.
  20. IANS. "Biotech firm 23andMe user data stolen in credential-stuffing attack: US-based biotech company 23andMe, known for its DNA testing kits, has confirmed that its user data is circulating on hacker forums, attributing the leak to a credential-stuffing attack.". ETCISO.in. Archived from the original on 2023-11-05. Retrieved 2023-12-15.
  21. DeGeurin, Mack (2024-02-15). "Hackers got nearly 7 million people's data from 23andMe. The firm blamed users in 'very dumb' move: The company pointed at people who 'failed to update their passwords' as sensitive data was offered for sale on forums". The Guardian. Archived from the original on 2025-01-18.
  22. Whittaker, Zack (2023-11-07). "23andMe data theft prompts DNA testing companies to switch on 2FA by default". TechCrunch. Retrieved 2024-12-10.