Genetic testing company 23andMe admitted in a Friday filing with the U.S. Securities and Exchange Commission (SEC) that there had been a significant data breach of its customer records, compromising the ancestry information of millions of customers.
The reported breach involves the “DNA Relatives” (DNAR) feature of the company’s products. While the breach impacted only part of the firm’s total customer base, the attack still exposed a vast amount of confidential data.
The data breach turned out to be more extensive than was initially reported over a month ago, with it now being shown that the loss affected almost half of the user base. 23andMe maintains confidential data of around 14 million customers in total.
23andMe Admits Major Data Breach as Hackers Access Ancestry Information of Millions https://t.co/z34STEae1w via @BreitbartNews
— Chris 🇺🇸 (@Chris_1791) December 4, 2023
It is believed that malicious hackers used a method described as “credential stuffing” to carry out the attack. Credential stuffing is a sophisticated cyberattack method where hackers exploit a common vulnerability in online security — the reuse of login credentials across multiple websites.
Hackers use previously exposed usernames and passwords from one data breach and attempt to log in to other websites, banking on the probability that many users employ the same login details across various platforms.
This automated process involves trying thousands or even millions of credential combinations across numerous sites until a match is found. Once successful, hackers gain unauthorized access to user accounts and sensitive personal data. This method’s effectiveness hinges on the widespread habit of password reuse, underscoring the importance of using unique passwords for different online services to enhance security and reduce vulnerability to such attacks.
The company has said that it has taken swift action to mitigate the damage to its customers and enhance its overall security. 23andMe advised its customers to change their passwords as part of that process. It implemented mandatory two-factor authentication for all user accounts.
In addition to genetic and biological information, it is believed the breach compromised personal data, including users’ names, location, birth years, relationship status, DNA shared with certain relatives, and complete ancestry reports.
Other genetic testing companies, including Ancestry and MyHeritage, have responded to the 23andMe hacking attack by mandating two-factor authorization and other security measures.
Hackers are among the most sophisticated and persistent criminals plaguing modern society.
With every step corporate entities take to secure information, malicious actors work endlessly to defeat protective measures. In that virtually every American consumer relies on the internet daily, each person must take appropriate steps to protect their information and carefully choose which companies they do business with.
