The Vulnerability of Genetic Data: An In-depth Analysis of the 23andMe Breach
23andMe, a leading American biotech and genomics company, has recently reported a significant data breach. User data from its platform appeared in hacker forums, leading to concerns about the safety of sensitive genetic information. The company attributes the breach to a credential-stuffing attack. A further investigation into the matter unveiled the extent and implications of such an attack on user privacy.
The company offers genetic testing services to consumers based on saliva samples sent to its labs. Customers receive a comprehensive report detailing their ancestry and genetic predispositions. Recently, a cybercriminal data stolen from a genetics company and later offered to sell data packs related to 23andMe customers.
Unveiling The Data Breach Incident
The initial data leak was limited, with the hacker releasing 1 million lines of data specific to Ashkenazi Jews. Another dataset has been leaked that includes information about around 300,000 users of Chinese descent. Later, the hacker offered to sell data profiles, ranging from $1 to $10 per account.
The stolen data includes full names, usernames, profile photos, sex, date of birth, genetic ancestry results, and geographical location. Interestingly, the number of accounts sold by the cybercriminal does not reflect the total number of 23andMe accounts. The hacker seems to have targeted a few 23andMe accounts, especially their ‘DNA Relatives’ matches.
The Role of Credential Stuffing Attack
Cybercriminals use credential stuffing to target weak password habits. They take login info from one site and use it on another. In this case, the threat actors used exposed credentials from other breaches to access 23andMe accounts and steal sensitive data.
A 23andMe representative confirmed the data’s authenticity. However, the company clarified that there is no indication of a data security incident within their systems. Instead, their initial findings hint that a hacker might have used data from incidents involving other online platforms.
The Implications of Opting-In For DNA Relatives Feature
The compromised 23andMe accounts had opted into the ‘DNA Relatives’ feature. This feature allows users to share their information with platform’s users to find distant genetic relatives. It includes broad descriptions of users’ genetic makeup, but no raw data. By accessing a few accounts, the hackers unveiled the privacy risks of such features.
23andMe suggests that customers enable two-factor authentication as an additional account protection measure and refrain from reusing passwords. The company will inform the concerned customers if their accounts have been accessed by unauthorized individuals.
Legal Implications and Regulations
Data breaches often trigger class action lawsuits. For instance, the clinical genomic diagnostics vendor Ambry Genetics suffered a data breach in 2020 impacting 233,000 individuals. Though fines seemed unlikely, affected users launched multiple lawsuits.
On October 9, 2023, a lawsuit accused 23andMe alleging the company was negligent for failing to protect customers’ data.
If you liked this article, we advise you to read our previous article about BORN Ontario data breach. Follow us on Twitter and LinkedIn for more content.
Stay up to date with exposed information online. Kaduu with its cyber threat intelligence service offers an affordable insight into the darknet, social media and deep web.