In October we reported that the data of as many as seven million 23andMe customers were for sale on criminal forums following a password attack against the genomics company.
Now, a filing with the US Securities and Exchange Commission (SEC) has provided some more insight into the data theft. The filed amendment supplements the original Form 8-K submitted by 23andMe.
The amendment says that an investigation showed that the attacker was able to directly access the accounts of roughly 0.1% of 23andMe’s users, which is about 14,000 of its 14 million customers. The attacker accessed the accounts using credential stuffing which is where someone tries existing username and password combinations to see if they can log in to a service. These combinations are usually stolen from another breach and then put up for sale on the dark web. Because people often reuse passwords across accounts, cybercriminals buy those combinations and then use them to login on other services and platforms.
With the breached accounts at their disposal, the attacker used 23andMe’s opt-in DNA Relatives (DNAR) feature—which matches users with their genetic relatives—to access information about millions of other users. According to a spokesperson the DNAR profiles of roughly 5.5 million customers could be accessed in this way, plus the Family Tree profile information of 1.4 million additional DNA Relative participants.
The 5.5 million DNAR Profiles contained sensitive details including self-reported information like display names and locations, as well as shared DNA percentages for DNA Relatives matches, family names, predicted relationships, and ancestry reports. ..
Support the originator by clicking the read the rest link below.
