Biogenetics company 23andMe has filed a new filing with the US Securities and Exchange Commission (SEC) detailing the data breach in early October 2023.
In the filing, the company states that the threat actors gained access to data on 0.1% of its customer base – roughly 14,000 individuals if we discount the company's recent claim that the company has “more than 14 million customers worldwide” in a recent annual earnings report can be believed.
But it gets a little more complicated than that. 23andme is a genetics testing and ancestry company, and sometimes users share this data with other accounts through its “DNA Relatives” feature. As a result, the attackers had gained access to “a significant number of files containing profile information about the origins of other users that such users wanted to share.”
Credential filling
The explanation is vague, so we don't know exactly how many files were opened, or how many “other users” were affected. But what is known is that a threat actor attempted to sell millions of 23andMe data pieces on the dark web. The company later confirmed the authenticity of the data and said a hacker most likely used credential stuffing (by trying an infinite number of username and password combinations) to gain access to its systems.
The stolen data “generally includes ancestral information and, for a portion of those accounts, health-related information based on the user's genetics.” Most people have had their “profile information” and “certain information” stolen, the company said in an earlier, equally vague announcement.
Previous media reports said the database contained origin estimates, phenotype and health information, photographs and identification data, raw data and some other account information.
The dark web leak reportedly contained a million lines of data for Ashkenazi people (via Beeping computer), which also affects more than 300,000 users of Chinese descent (via The record).
Through TechCrunch