23andMe has confirmed that the security incident in October 2023 directly impacted 14,000 users and indirectly exposed the sensitive data of another 6.9 million profiles.
23andMe is an American genomics and biotechnology company offering consumers direct genetic testing services. People receive a kit to provide a saliva sample and send it to the firm for testing. 23andMe then creates a report covering ancestry, genetic traits, potential health risks, etc.
As we reported in early October, a threat actor on hacking forums posted the data of 1 million Ashkenazi Jews, including full names, DNA information, geographical details, etc. A few days later, the same user decided to sell user profiles stolen from 23andMe in bulk sets of 100-100,000 for $1,000 to $100,000.
At the time, a spokesperson of the firm assured us that the hackers had not compromised its systems but rather hijacked poorly secured accounts via “credential stuffing” and then used one of the platform’s features named ‘DNA Relative Finder’ to pivot to other users linked to the compromised accounts via ancestry or other key data points.
The data compromised for this larger subset of users, although lacking the extensive genetic details in the initially breached accounts, still reveals significant personal information. This includes the display name, profile photo, sex, birth year, predicted relationships to genetic matches, select results from their genetic ancestry analysis, and geographic locations.
23andMe defines impact
An SEC filing the genetics testing company submitted on Friday finally determines the number of users impacted by the incident, saying it was 0.1% of its userbase, or 14,000.
Based on its investigation, 23andMe has determined that the threat actor was able to access a very small percentage (0.1%) of user accounts in instances where usernames and passwords that were used on the 23andMe website were the same as those used on other websites that had been previously compromised or were otherwise available (the “Credential Stuffed Accounts”).
From the SEC filing
Additional statements given to the media by the company’s spokesperson determined the number of indirectly impacted profiles to be 6.9 million. Specifically, the secondary account breach wave concerns 5.5 million people who opted-in to the aforementioned DNA Relatives feature and another 1.4 million users exposed via the ‘Family Tree’ feature.
The SEC filing promises that all impacted users will be informed accordingly via notifications, while the company expects the total cost due to this incident to be between one and two million USD.
To enhance user security, 23andMe implemented stringent measures. On October 10, 2023, the company mandated a password reset for all users. Subsequently, on November 6, 2023, it introduced a compulsory two-factor authentication (2FA) system for existing and new users. Had even an optional 2FA been available earlier, the severity of the credential stuffing attack would have been significantly mitigated.