The 23andMe data breach explained

NetworkTigers discusses what happened with the 23andMe data breach.

Millions of people use the 23andMe service to find distant relatives, research their heritage, or explore their genetic health data. A whopping 6.9 million people were affected by the company’s data breach reported in October 2023. According to a filing on Friday with the US Securities and Exchange Commission, hackers have been selling sensitive genetic and health information sourced from 23andMe on criminal forums. Here is a roundup of what we know, how the hack occurred, and how to protect your health and DNA information online. 

What do we know about the 23andMe data breach?

23andMe currently has 14 million users who have submitted their DNA information to the platform, creating profiles that share their locations, names, photos, certain health information, and possible ancestors within the database. Users also have the option to utilize sharing features on the platform to find distant relatives, create family trees, and use social networking features.

In October, it was revealed that roughly 14,000 user accounts, or just under 0.1% of total 23andMe users were compromised by threat actors who have since listed personal information, including health records, up for sale on the dark web. However, due to the interconnected nature of 23andMe data, more users than those whose accounts were breached may also be affected by this hack. An additional 5.5 million users may have had their information “scraped” (affected or partially accessed but not directly breached) through the company’s DNA Relatives feature. A further 1.4 million accounts may have also been compromised through Family Tree profiles linked to the initial hacked users. 

The October 23andMe hack is expected to cost the company anywhere from $1 million to $2 million in expenses associated with the data breach. 

What kind of information is at risk from the 23andMe hack?

The following information may have been accessed, shared, or sold in the 23andMe data breach: 

• Full names
• Email addresses
• Gender
• Date of birth
• Profile photos
• Shared location information
• Genetic profiles and matching DNA
• Genetic predispositions such as asthma, anxiety, high blood pressure, macular degeneration, and more
• Ancestor birth location
• Family names
• Family trees
• DNA Relatives Profiles, including information such as display name, predicted relationships, and percentage of DNA shared with possible matches

How did the 23andMe hack happen?

Representatives from 23andMe have reported that the hack was due to credential stuffing, a typical brute force attack in accounts without two-factor authentication. Credential stuffing is a practice that involves injecting stolen usernames and passwords into different sources in an attempt to guess a reused combination. Those who reuse their credentials, especially passwords, across multiple platforms are particularly at risk for credential-stuffing hacks. Approximately 49% of reported breaches are linked to stolen credentials, according to a 2023 Verizon Data Breach Investigations Report. 

Understanding the risks of the 23andMe hack

Medical records are valued as highly on the dark web as credit card information and Social Security numbers. In some cases, they may be worth even more. Health records can be used in multiple ways to exploit people. Cybercriminals may utilize health information for in-depth or long-term identity theft, such as tax fraud, home equity fraud, and medical coverage theft. In other cases, sensitive information such as genetic predispositions, sexually transmitted diseases, or terminal illnesses is leveraged for direct payments from individuals in cases of blackmail. While discrimination based on genetic data is illegal for employers and health insurance providers under the 2008 Genetic Information NonDiscrimination Act, the law provides loopholes for other entities such as life insurance companies and disability insurers. This is another reason users may not want details about their genetic makeup widely available to cybercriminals and users on the dark web. 

Finally, health information cannot be changed, unlike other identifying information, such as bank account numbers, direct deposit information, and addresses. The finite nature of health data, as well as the personal connection that it carries, makes it an exceptionally lucrative target for hackers. 

The context for the 23andMe hack

According to the Department of Health and Human Services, in the first ten months of 2023 alone, a quarter of Americans, or nearly 88 million people, have had their medical data exposed through leaks and hacks. This represents a 60% increase from last year. However, over the previous four years, there have also been drastic increases in health information targeting. Since 2020, there has been a whopping 239% increase in large data breaches involving health information and a closely correlated 278% rise in ransomware. Attacks on hospitals, laboratories, and genetic testing services are becoming increasingly common, leaving many to wonder what they can do to protect their privacy better. 

Who may be at risk from the 23andMe hack 

Those of Ashkenazi Jewish descent, as well as Chinese descent, may be more at risk of having their information accessed through the 23andMe hack. Bad actors have been posting online since August 2023 that up to 300 terabytes of 23andMe data had been stolen. Those reports claim that the complete sets of data include 1 million data points about users with Ashkenazi Jewish heritage and data attached to up to 100,000 Chinese users. Representatives from 23andMe confirmed to the Washington Post that this would include users with only 1% Ashkenazi Jewish heritage. 

How to know if your data was part of the 23andMe hack

The company has reported that they will continue to reach out to directly impacted customers via email. Doing so is required by law in all 50 states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands. 

If you haven’t received an email, you may still be uneasy about leaving your data in the hands of 23andMe. You might also wonder if you have been part of the subset of customers whose data was scraped instead of directly breached. These customers do not have to be notified directly by the company. However, there are several steps you can take to ensure that your data is as secure as possible in the aftermath of the situation. 

What to do if you think you were hacked as part of the 23andMe data leak

1. Change your password. Using a unique password not used on any other platform) is the best way to ensure that your account is guarded against credential-stuffing efforts and other brute-force attacks. 
2. Enable two-factor authentication. As of November 6, 2023, 23andMe requires all users to enable 2-step verification to access their accounts. 
3. Consider temporarily disabling the DNA Relatives function on your account, or at least change your display name to something that does not identify you directly, such as your initials. 
4. Download your data, such as Reports Summary, Wellness Reports, Ancestry Reports, and Traits Reports from your 23andMe profile. Doing so gives you the freedom to consider deleting your profile if you feel uncomfortable having your information linked to your online account in the future. 

Your health data is valuable information, both to you and to cybercriminals. Taking steps to safeguard it online is more important than ever as it becomes an especially lucrative target for hackers. The 23andMe data breach reveals how important it is to use distinct passwords and enable multi-factor authentication, as well as for companies to be honest with users about the extent of their investment in cybersecurity. Sensitive health and genetic information should never fall into the hands of criminals because of a lack of care and attention to cybersecurity.