In recent years, a growing number of people have been handing their DNA over to tech companies for the apparent benefits of finding out information about their ancestry and more about their health. However, as with digital IDs, when such entities get access to your most intimate data, it becomes the target of hackers and cyberattacks.
A considerable number of user ancestry files were exposed during a recent cyberattack on genetic testing giant, 23andMe. As per an official filing released on Friday, cybercriminals infiltrated around 14,000 user accounts – a figure that equates to approximately 0.1% of the company’s global customer base of over 14 million.
The hackers leveraged a common cyberattack technique known as “credential stuffing.” This involved exploiting leaked account passwords to gain unauthorized access. However, the attack didn’t end with the initial victims. 23andMe incorporates a feature whereby users can opt to share selected information with other users. Consequently, the breach also extended to individuals linked through this feature.
What amplifies the gravity of the data breach is the nature of the exposed information — mainly personal user ancestry details, and in some cases, health-related genetic information. The exact number of affected ‘other users’ or the precise extent of accessed files remains unclear as the company has yet to release specific figures.
Tech news outlet TechCrunch undertook an analysis of the exposed datasets, comparing them against publicly accessible genealogy databases. The website found considerable overlap between the leaked datasets and established genealogy records.
In the aftermath of the initial breach disclosure in October, the hackers advertised the alleged data of one million users of Jewish Ashkenazi descent and 100,000 Chinese users on a prominent hacking forum. This preceded a subsequent advertisement of the supposed records of four million more users. Intriguingly, TechCrunch discovered a precursor to these developments where a hacker advertised a staggering 300 terabytes of stolen 23andMe user data and sought up to $50 million for its entirety.