Key Takeaways
The vulnerability of data breaches continues persistently, posing a newfound threat to your DNA. 23andMe recently encountered a breach wherein cybercriminals successfully acquired data profiles, encompassing personal information and genetic ancestry outcomes.
The security breach occurred due to a credential stuffing attack, wherein hackers utilized login credentials obtained from previous data breaches. Additionally, the hackers were able to access other individuals' data through the "DNA Relatives" feature.
Although 23andMe acknowledged the breach, they refuted any claims suggesting it was an internal attack. Since the stolen data is already in circulation, it is crucial to refrain from reusing passwords for other accounts.
Data breaches have been a recurring issue throughout the past year and show no signs of abating. It is uncertain whether it is directly related to your password, but there is always the possibility of important personal information, such as your phone number or social security number, being exposed in a data dump. However, have you considered the potential of your DNA being included in such a breach? Unfortunately, that scenario is no longer remote.
For those unfamiliar with 23andMe, it is a company that provides DNA test kits, allowing individuals to uncover fascinating details about their heritage and personal traits. By sending in a sample and returning the kit, customers can learn about their genetic origins and potentially connect with distant relatives who share similar DNA profiles. The drawback, however, is that this also entails the company having to store customers' DNA, making it vulnerable to breaches. Regrettably, this vulnerability became a reality when hackers carried out a credential stuffing attack, resulting in the theft and subsequent bulk sale of data profiles. The stolen information encompasses various details such as usernames, full names, profile pictures, date of birth, genetic ancestry results, and even geographical location.
A representative from 23andMe confirmed that the breach was valid, but denied that it originated from an internal attack on the company's systems. According to their initial investigation, it appears that the login credentials used in these access attempts may have been obtained by a threat actor from data leaks involving other online platforms where users have reused their login credentials. It seems that the hackers exploited accounts using already available credentials, and the "DNA Relatives" feature exacerbated the situation by allowing hackers to access other individuals' data. Unfortunately, there is currently no action for affected individuals to take, as the data has already been exposed. However, it is advisable to avoid reusing passwords for other accounts.
Source: Bleeping Computer