Genetic Testing: Hackers steal ancestry, health-related data from 23andMe
What data hackers stole from 23andMe
The company confirmed that by accessing these accounts, the hackers were also able to access “a significant number of files containing profile information about other users’ ancestry that such users chose to share when opting in to 23andMe’s DNA Relatives feature.”
However, the company did not specify what that “significant number” of files was, nor did it mention how many of these “other users” were impacted.
In its filing, 23andMe said that for the initial 14,000 users, the stolen data “generally included ancestry information, and, for a subset of those accounts, health-related information based upon the user’s genetics.”
For the other subset of users, the company mentioned that the hackers only stole “profile information” and then posted “certain information” online.
23andMe allows users to opt into a feature called DNA Relatives. Hackers not only accessed the data of the customers who had their accounts but also from the company’s DNA Relatives feature.
If a user opts-in to that feature, the company shares some of that user’s information with others. This means by accessing one victim’s account, hackers were also able to see the personal data of people connected to that initial victim.
How hackers managed to steal data
In October, the company mentioned that the hackers were able to steal data using a common technique known as “credential stuffing”. In this technique, cybercriminals hack into a victim’s account by using a known password which has been leaked due to a data breach on another service.