23andMe, a leading genetic testing service providing insights into ancestry, health risks, and genetic traits, finds itself knee-deep in a privacy scandal of significant proportions. The deeply personal nature of the data collected by the service has made it a prime target for a data breach. Here’s what transpired and the fallout that follows.
On October 4th, an alarming post was made on BreachForums, a notorious black-hat hacking forum. A user offered an array of confidential 23andMe data for sale, including “tailored ethnic groupings, individualized data sets, pinpointed origin estimations, haplogroup details, phenotype information, photographs, links to hundreds of potential relatives, and most crucially raw data profiles” derived from 23andMe genetic results.
The user priced the 23andMe data ranging from $1 to $10 per profile, and the information included names, sex, date of birth, genetic ancestry results, profile photos, and geographical locations. Given the sensitivity of this data, it’s highly sought after on the black market, presenting a lucrative opportunity for identity thieves.
While the exact scale of the breach is yet to be confirmed, BreachForums users claim to have acquired data for potentially half of 23andMe’s user base. With over 14 million customers worldwide, hackers have been selling batches of 100,000 accounts, potentially affecting over 7 million individuals.
To confirm the authenticity of the stolen data, hackers initially uploaded a data sample comprised of 1 million data points focused on individuals of Ashkenazi Jewish heritage and hundreds of thousands of users of Chinese descent.
Response from 23andMe:
In response to the breach, 23andMe issued a press release stating:
“After learning of suspicious activity, we immediately began an investigation. While we are continuing to investigate this matter, we believe threat actors were able to access certain accounts in instances where users recycled login credentials – that is, usernames and passwords that were used on 23andMe.com were the same as those used on other websites that have been previously hacked…
We do not have any indication at this time that there has been a data security incident within our systems, or that 23andMe was the source of the account credentials used in these attacks.”
They reiterate that their company-owned databases have remained uncompromised. Instead, the breach was attributed to compromised user accounts via a credential stuffing attack. This technique exploits the habit of password reuse, allowing hackers to access a multitude of accounts using stolen credentials from a previously hacked database.
The hackers claimed that data from high-profile individuals, including Elon Musk, Mark Zuckerberg, and Sergey Brin, was up for sale. 23andMe verified that the stolen data was indeed genuine customer data but did not comment on the data of the famous people. 23andMe further explained that the stolen information was compiled without users’ authorization, saying:
“We recently learned that certain 23andMe customer profile information that they opted into sharing through our DNA Relatives feature, was compiled from individual 23andMe.com accounts without the account users’ authorization.”
DNA Relatives Feature and Its Vulnerabilities:
The DNA Relatives feature enables users to connect with others with genetic similarities and learn more about their genetic matches. It shares information like relationship labels, predicted relationships, ancestry reports, matching DNA segments, location, and more. Users can choose to enhance their profiles by providing additional information.
Hackers took advantage of this feature after gaining unauthorized access to accounts via credential stuffing. This incident falls between a breach and a scrape, as the stolen information was available to hackers once inside a user’s account.
The Class Action Lawsuit:
On October 9th, Monica Santana and Paul Kleynburd initiated a proposed class action lawsuit against 23andMe. They allege that the biotech company failed to adequately protect and manage personal information, leading to the breach.
They claim that victims of this breach now face heightened risks of fraud and identity theft, suffering damages in various forms, including invasion of privacy, loss of time and out-of-pocket expenses, diminished value of personal information, and lost benefit of the bargain with 23andMe.
The lawsuit seeks to represent all individuals whose personal information was exposed in the breach and includes:
- Claims of negligence.
- Breach of implied contract.
- Invasion of privacy/intrusion upon seclusion.
- Unjust enrichment.
- Declaratory judgment.
The plaintiffs are seeking various forms of compensation, including damages, credit monitoring, and legal fees.
This story is still evolving.