Abigail Shimniok

“23andMe,” a company most famous for their DNA testing kits that allow an individual to trace back their ancestry, has recently revealed the full extent of a recent hack involving their customers’ personal data.
The company announced through their website’s blog that they had suffered a breach of information on Oct. 6. Specifically, the users who opted into their “DNA Relatives” feature, which would allow users to connect with other users of the service if they were found to be genetically related.
This breach was achieved using a method known as “credential stuffing,” which involves using logins gained from a security breach of one service to gain access to other services.
Despite giving updates throughout the following weeks and taking steps to ensure customer safety post-breach, such as resetting passwords and enforcing two-factor authentication for all current users, the extent of the hack was not fully revealed until Dec. 5.
In an addendum to their initial blog post, the company would reveal that approximately 14,000 users had their accounts compromised via credit stuffing. Using the DNA Relatives feature, they were able to access the personal information of around 5.5 million users and 1.4 million additional users compromised through the “Family Tree” feature, totaling roughly 6.9 million compromised users, or just under half of the entire company’s user base.
According to Wired, some of the stolen data was already being sold on hacking forum platform “BreachForums” shortly after the hack had occurred, asking for $1 – $10 per account. The data included, among basic information about the user, genetic ancestry results and possibly specific geographic ancestry information. Due to the nature of the hack, it is likely that said data also included relatives of the hacked users.
The identity of the hackers responsible for the attack is still unknown.