Skip to content

Personal genomics company 23andMe (office in Mountain View, California, pictured in October 2018) is currently dealing with the fallout of a credential stuffing attack that enabled hackers to access data from nearly half of its 14 million users. (Photo by Smith Collection/Gado/Getty Images)

Half of 23andMe Users Affected by Credential Stuffing Attack

Genetic testing company 23andMe is reeling from a massive data breach. Hackers were able to access personal information from about 6.9 million users—about half of the company’s customer base. Stolen data including old passwords, family trees, birth years, and geographic locations. DNA records were not affected, the company said.

The company launched an investigation in October after a threat actor claimed online to have users’ profile information. On 1 December, the company acknowledged in a filing with the U.S. Securities and Exchange Commission (SEC) that the hacker accessed 0.1 percent of their user accounts, but that the malicious actors were able to leverage that access to collect a broader swath of data. Through a function called DNA Relatives, any account can search for others who may be a genetic match, so a single account could see thousands of others.

One early batch of the stolen and scraped data was advertised on a hacking forum as a list of 999,999 people with Jewish ancestry, NBC News reported in October, which sparked concerns about targeted attacks in the current climate of anti-Semitism and hateful rhetoric during the Hamas-Israel war.

The biotechnology company itself was not hacked, but cybercriminals used previously exposed email and password details from around 14,000 individual accounts to gain access to the system, downloading data from those vulnerable accounts and scraping information from all other user accounts they could view across the website’s family trees, BBC News reported.

This type of attack is known as credential stuffing, when attackers use credentials obtained from previous data breaches to attempt to log into other unrelated services.

“Since many users will re-use the same password and username/email, when those credentials are exposed (by a database breach or phishing attack, for example) submitting those sets of stolen credentials into dozens or hundreds of other sites can allow an attacker to compromise those accounts too,” according to a description from the OWASP Foundation. Credential stuffing is one of the most common techniques used to takeover accounts, especially when other security measures—such as two-factor authentication—are not in place.

[ Stay Aware of Threats. SM7 Newsletter: Sign Up ]

According to 23andMe’s SEC filing, “The information accessed by the threat actor in the credential stuffed accounts varied by user account, and generally included ancestry information, and, for a subset of those accounts, health-related information based upon the user’s genetics. Using this access to the credential stuffed accounts, the threat actor also accessed a significant number of files containing profile information about other users’ ancestry that such users chose to share when opting in to 23andMe’s DNA Relatives feature and posted certain information online. We are working to remove this information from the public domain. As of the filing date of this Amendment [1 December 2023], the Company believes that the threat actor activity is contained.”

Following the breach, 23andMe forced all users to reset their passwords and began requiring two-factor authentication. Other ancestry tracing sites—including Ancestry and MyHeritage—also began promoting or requiring multi-factor authentication on their sites following the breach, WIRED reported.

Meanwhile, legal action is underway. A proposed class-action lawsuit has been filed in British Columbia, Canada, with thousands of Canadians seeking to join, lawyer Sage Nematollahi told Global News. The lawsuit alleges that 23andMe engaged in “willful, knowing, or reckless conduct” by not implementing and maintaining proper data retention and protection practices.

“As a result, they affirmatively exposed the highly sensitive and highly valuable customer data in their control, custody, or possession to unauthorized parties and cybercriminals,” the suit says.

Meanwhile, 23andMe is changing its terms of service related to dispute resolutions and arbitration to “encourage a prompt resolution of any disputes” and “streamline arbitration proceedings where multiple similar claims are filed.” Users can opt out of the new terms within 30 days of notification, WIRED noted.