In October of 2023, a hacker tapped into the network of 23andMe and leaked 14 million pieces of data. The hacker used previously leaked username and password combinations to get into user’s accounts. They then used the user’s DNA Relatives feature to find other users and compile information about them. The DNA Relatives feature allows users to see their relative’s basic profile information. With this, they found little amounts of information to figure out the passwords of the users. Most of the information gathered was about users who are Jewish. The hackers posted in an online discussion that they were willing to sell the information about the user’s location, names, ethnicities, and other private information. They specifically were interested in selling the Jewish user’s information.
They also found other databases that contained information about users of other ethnicities. On one database, there was information about 1 million users of Ashkenazi heritage. Another contained 300,000 users of Chinese heritage. The hackers contained information about these users that included things like account numbers, birth year, data on whether or not each user has opted into 23andme’s health data, and more sensitive information. Sharing the account numbers of users allows people who know the ID number to view the user’s profile containing the user’s photo, name, birth year, and location.
The CEO of 23andMe put out a statement on Friday the 20th, stating that they were aware of the breach 2 months earlier, but never revealed the information to the public. They confirmed in an email that the private information of some of their users was up for sale. They claimed that there is no evidence that the leak came inside the 23andMe systems. They said that the hackers most likely used a technique called “credential stuffing”. Credential stuffing is when hackers use password and username combinations from other sites and plug it into other sites to try and obtain personal information.
The company started working with digital forensic experts and law enforcement to decide what to do about the situation. The company has since required all of their users to change their password to continue to try and keep users’ private information safe. Since the leak, 23andMe has closed 1% of their stocks. Users have been removing their private information from the website to ensure that their information will not be sold to the public. The hackers have not been found yet.
To ensure that this does not happen to us some things we can do is use unique passwords and set up two-factor authorization. If a hacker discovers your password on another site, they will not be able to access your accounts on others. Two-factor authorization will further help to ensure that your private information remains private. This will ensure that you are the one logging into your account and not a hacker.