23andMe Data Breach Exposes Data of 6.9 Million Users
23andMe has confirmed that hackers gained unauthorized access to the personal information of 6.9 million users. Initially disclosed in early October, the breach impacted 0.1% of the company's customer base or approximately 14,000 individuals. However, further investigation by 23andMe uncovered a much larger scale of impact, affecting nearly half of the reported 14 million total users.
The breach was executed through a credential stuffing attack, a technique where hackers leverage account information obtained from other security breaches to gain access. The attackers targeted users who had opted into 23andMe's DNA Relatives feature, impacting around 5.5 million individuals. This feature enables automatic data sharing, including names, birth years, relationship labels, DNA sharing percentages, ancestry reports, and self-reported locations.
Another group of approximately 1.4 million users who had also opted into DNA Relatives had their Family Tree profile information accessed. This information includes display names, relationship labels, birth years, self-reported locations, and user decisions regarding information sharing.
23andMe did not disclose these specific numbers in its initial breach announcement. The company attributed the security incident to customers reusing passwords, allowing hackers to brute-force accounts using passwords known from other data breaches.
The breach came to light in October when a hacker claimed to have stolen DNA information from 23andMe users and advertised the data on a well-known hacking forum. The hacker provided proof by publishing alleged data of specific user groups, including one million users of Jewish Ashkenazi descent and 100,000 Chinese users, offering the data for sale at prices ranging from $1 to $10 per account. Subsequent advertisements by the same hacker claimed records of an additional four million people.
Further scrutiny by TechCrunch revealed that another hacker on a different forum had advertised stolen 23andMe customer data two months before the widely reported incident. Analysis of the leaked data indicated some overlap with genetic information published online by hobbyists and genealogists, suggesting the authenticity of at least a portion of the compromised data.
23andMe has initiated steps to address the situation, urging affected users to reset passwords and enforcing mandatory two-step verification for enhanced security. The company is also in the process of notifying impacted users as part of its ongoing response to the breach.