Millions of 23andMe data records published on hacking forums

The data breach

In a series of escalating events, the genetic testing company, 23andMe, has witnessed the unauthorized dissemination of millions of its users' genetic profiles on hacking forums. At the epicenter of these breaches is a hacker identified by the pseudonym “Golem”.^[1] With the latest data exposure, the total number of compromised profiles has surged past 4 million, revealing the magnitude and severity of this cybersecurity lapse.

The initial data leak spotlighted the information of 1 million Ashkenazi Jews who sought ancestry details and genetic predispositions from 23andMe.^[2] However, this was merely the beginning. Subsequently, an additional 4.1 million profiles from individuals mainly in Great Britain and Germany were laid bare on cybercrime platforms. The most recent of these breaches divulged data of 4,011,607 users from Great Britain along with 139,172 from Germany.

Adding to the intrigue, Golem has made significant claims about the content of the data, suggesting the inclusion of genetic details from prominent entities such as members of the royal family, the Rothschilds, and the Rockefellers. Such assertions, while making headlines, remain uncorroborated.

The scope of the breach still being speculated upon

23andMe's analysis points to credential stuffing attacks as the primary method behind the unauthorized data access. In such attacks, malefactors deploy combinations of usernames or emails paired with passwords, which were previously exposed in other, unrelated data breaches. Providing some assurance to its user base, the company has declared that its IT infrastructure remains uncompromised and shows no signs of a direct breach.

Yet, an inherent feature within the 23andMe platform amplified the extent of data accessible during the breach. The “DNA Relatives” feature,^[3] designed to connect users with potential genetic relations, became an unforeseen liability. Even if a singular account was compromised, the opted-in nature of this feature enabled the hacker to scrape and collect data from a multitude of other users.

While 23andMe's internal evaluations and external communications lean towards credential stuffing as the main technique employed, the broader cybersecurity community remains speculative. There's a prevailing uncertainty about the comprehensive extent of stolen data and the true motives driving the hacker. 23andMe also urged users to enable multi-factor authentication and change their passwords upon the initial breach discovery.^[4]

Actions, repercussions, and broader impacts

Reacting to the emerging crisis, 23andMe was swift to prompt its vast user base to update their passwords and advocated strongly for the implementation of multi-factor authentication. Their strategic response also incorporated the initiation of an exhaustive investigation, with third-party forensic specialists roped in for an in-depth analysis.

However, as 23andMe navigated the crisis, they didn't shy away from directing a portion of the blame towards their users. Emphasizing the risks of password reuse and lax security practices, the company underlined the vulnerabilities exploited by the hackers. They also spotlighted the potential pitfalls of their DNA Relatives feature, detailing how it inadvertently expanded the hacker's reach.

Beyond the immediate security concerns, this breach's repercussions echo in legal corridors. Multiple lawsuits have emerged against 23andMe,^[5] with plaintiffs asserting that the company was remiss in its duty to protect user data and failed to offer clear communication during the breach's aftermath. Given the intrinsic sensitivity of genetic information, the concerns and grievances are magnified, emphasizing the need for fortified cybersecurity and vigilant user practices in our digitized era.