23andMe is one of the biggest genetics companies in the world. There are millions of people who have taken its test to learn about their ancestry.
Unfortunately, the company has found itself in the middle of a controversy as it is currently investigating a potential data breach after customer information was allegedly stolen and offered for sale online.
Here is what has happened.
Data Offered for Sale on Cybercrime Forum
On Sunday, a cybercrime forum user claimed to possess data on 20 million 23andMe customers. They posted a sample of the data, describing it as the "most valuable data you'll ever see."
23andMe admitted that “certain customer profile information was compiled through unauthorized access to individual 23andMe.com accounts." However, the company stated there is currently no evidence of a breach within their own systems.
According to the investigation they’ve carried out so far, the attacker found the data on several platforms where it had already been leaked. They then reused the credentials they found to access 23andMe accounts.
Relatives DNA Service May Be Impacted
23andMe has a feature called “DNA Relatives,” which allows people to learn more about their families. The attacker may have gained access to information about users’ birth year, relationships to their match, the percent DNA match, profile sex, parts of their genetic ancestry results, and more.
The full extent of the stolen data remains uncertain, though.
The Seller Withdrew and Then Relisted the Data
After initially listing the data for sale on Sunday, the seller took it off of the Internet. Just 3 days later, though, they relisted with even more data on “tailored ethnic groupings, individualized data sets, pinpointed origin estimations, haplogroup details, phenotype information, photographs, links to hundreds of potential relatives, and most crucially, raw data profiles.”
They were selling the data in 100, 1000, 10000, and 100,000 profile batches.
What Should You Do?
While investigations continue, 23andMe strongly recommends enabling two-factor authentication. You should also avoid reusing older passwords and choose unique, complex passwords for each account. Enabling two-factor and using a password manager can greatly improve security.
What Will 23andMe Do?
23andMe stated they will notify any confirmed victims. They also plan to implement additional protections like enhanced training, stronger access controls, and further password requirements.
The company emphasized they take privacy and security seriously. 23andMe said it will continue supporting inquiries into this potential attack on customers' sensitive data.
The Breach Has Raised Concerns Around Genetic Genealogy Sites’ Security
As DNA testing rises in popularity, cyber attacks targeting genetic genealogy sites may increase too. Customers provide intimate health details and family connections when using these services. Hackers can profit greatly from selling or exploiting such personal data.
This breach highlights the need for testing companies to uphold rigorous security standards. It also stresses the importance of users safeguarding credentials and enabling safety measures like two-factor authentication whenever possible.