In a shocking revelation on Friday, genetic testing giant 23andMe disclosed that hackers compromised the personal data of 0.1% of its customer base, affecting approximately 14,000 individuals. However, the extent of the breach goes beyond this initial disclosure, with a staggering 6.9 million users falling victim to the unauthorized access of their sensitive information.
Initially downplayed, the breach expanded to impact a significant portion of 23andMe's user base, shedding light on a far-reaching compromise. Spokesperson Katie Watson confirmed that personal information of 5.5 million users who opted into the DNA Relatives feature was accessed. This feature, designed for automatic data sharing, exposed details such as names, birth years, relationship labels, DNA percentage shared with relatives, ancestry reports, and self-reported locations.
Another group of approximately 1.4 million users who also opted into DNA Relatives had their Family Tree profile information accessed. This included display names, relationship labels, birth years, self-reported locations, and the user's decision to share their information.
What remains unclear is why 23andMe chose not to disclose these alarming numbers in its initial announcement. With the revised figures, it's evident that the data breach affects nearly half of the reported 14 million customers.
In October, a hacker claimed responsibility for the breach, offering alleged data of 23andMe users on a prominent hacking forum. The stolen information included one million users of Jewish Ashkenazi descent and 100,000 Chinese users. Two weeks later, the same hacker expanded their offering to an additional four million users on the same platform. 23andMe attributed the breach to customers reusing passwords, enabling hackers to brute-force accounts using publicly known passwords from other data breaches.
The intricate workings of 23andMe's DNA Relatives feature amplified the breach's impact. Hacking into a single individual's account allowed access not only to their personal data but also to information about their relatives, exponentially increasing the number of victims.
As the repercussions of this breach continue to unfold, it serves as a stark reminder of the digital vulnerabilities we face in an interconnected world. The compromise of sensitive genetic information highlights the pressing need for enhanced cybersecurity measures, not only for individuals but also for companies entrusted with safeguarding our most personal data. In an era of rapid technological advancements, the responsibility to fortify digital defenses has never been more critical.