A hot potato: Back in October, genomics specialist 23andMe disclosed a security incident in which hackers had obtained information from some user accounts. The admission seemed to downplay the breach, and only now are we learning additional details about the incident.
Late last week in a filing with the US Securities and Exchange Commission, 23andMe said it determined that the threat actor in the incident was only able to access a very small percentage (0.1 percent) of user accounts in certain circumstances. As TechCrunch highlights, the company said it had more than 14 million customers worldwide in an earnings report from May, meaning 0.1 percent would be around 14,000 impacted accounts.
Over the weekend, 23andMe spokesperson Katie Watson told TechCrunch that hackers had accessed information on roughly 5.5 million people that had opted into the company’s DNA Relatives feature. Compromised data reportedly included names, birth years, how much DNA a user shared with relatives, ancestry reports, and more. The rep additionally mentioned another group of about 1.4 million users that also had their family tree profile data accessed.
Given the updated figures, roughly half of 23andMe’s user base was seemingly touched by the intruder.
TechCrunch noted that some information in their exchange with 23andMe was deemed “on background,” which has to do with how information between a reporter and a source is shared. TC said it was given no opportunity to reject 23andMe’s terms, so they went ahead and published the information. TC also wondered out loud why 23andMe didn’t share these numbers in the SEC filing.
In October, 23andMe said it believed hackers were able to access some accounts in instances where users recycled login credentials from other sites that had previously been hacked as part of a process known as credential stuffing.
The 23andMe hack is yet another cautionary web security tale, and one that might have higher stakes given the type of data involved. Genetic data just feels like something you don’t want to fall into the wrong hands.