More details are emerging about a data breach first reported by genetic testing company 23andMe in October. But as the company releases more information, the situation is becoming murkier, creating more uncertainty for users trying to understand the fallout.
23andMe said in early October that attackers had infiltrated some of its users’ accounts and used that access to scrape personal data from a larger subset of users through the company’s opt-in social sharing service, known as DNA Relatives. At the time, the company didn’t say how many users were affected, but hackers had already begun selling data on criminal forums that appeared to have been taken from at least a million 23andMe users, if not more. In a filing with the US Securities and Exchange Commission on Friday, the company said that “the threat actor was able to access a very small percentage (0.1%) of user accounts”, or about 14,000 given the company’s recent estimate that it has more than 14 million customers.
Fourteen thousand is a lot of people, but the figure doesn’t include users affected by the attacker’s data scraping from DNA Relatives. The SEC filing simply noted that the incident also affected “a significant number of files containing profile information about the ancestry of other users”.
On Monday, 23andMe confirmed to TechCrunch that the attackers had collected the personal information of approximately 5.5 million people who had signed up for DNA Relatives, as well as information from an additional 1.4 million DNA Relatives users whose “family tree profile information was accessed”. 23andMe subsequently shared this expanded information with WIRED.
From the group of 5.5 million people, the hackers stole display names, last login, relationship labels, predicted relationships, and percentage of DNA shared with DNA Relatives matches. In some cases, this group also had other data compromised, including ancestry reports and details of where on their chromosomes they and their relatives had matching DNA, self-reported locations, ancestral birthplaces, family names, profile pictures, birth years, links to self-created family trees and other profile information. The smaller (but still massive) subset of 1.4 million affected DNA Relatives users all had data compromised from the aforementioned specific profile known as “Family Tree”. The stolen data included display names and relationship labels, and in some cases birth years and self-reported location information.
Asked why this expanded information wasn’t included in the SEC filing, 23andMe spokeswoman Katie Watson told WIRED: “We’re simply elaborating on the information included in the SEC filing by providing more specific numbers.”
23andMe has claimed that attackers used a technique known as credential stuffing to compromise the 14,000 user accounts – finding instances where leaked credentials from other services were reused on 23andMe. In the wake of the incident, the company forced all users to reset their passwords and began requiring two-factor authentication for all customers. In the weeks after 23andMe first disclosed its breach, other similar services, including Ancestry and MyHeritage, also began promoting or requiring two-factor authentication for their accounts.
However, in October and again this week, WIRED pressed 23andMe on its determination that the user account compromises were solely due to credential stuffing attacks. The company has repeatedly declined to comment, but several users have noted that they are certain their 23andMe account usernames and passwords were unique and could not have been exposed elsewhere in another leak.
In at least one instance, however, 23andMe eventually provided the user with an explanation. On Tuesday, US National Security Agency cybersecurity director Rob Joyce noted on his personal X (formerly Twitter) account: “They’re disclosing the credential stuffing attacks, but they’re not saying how the accounts were targeted for stuffing. This was unique and not an account that could be scraped from the web or other sites”. Joyce wrote that he creates a unique email address for each company he uses to create an account.
While Joyce used a unique email address for his 23andMe account, the company partnered with MyHeritage in 2014 and 2015 to improve the DNA relatives “family tree” feature, which Joyce said he subsequently used. Then, separately, MyHeritage suffered a data breach in 2018, which apparently exposed Joyce’s unique 23andMe email address. He adds that because he uses strong, unique passwords on both his MyHeritage and 23andMe accounts, neither has ever been successfully compromised by attackers.
The anecdote underscores the stakes of sharing user data between companies and software features that encourage social sharing when the information involved is deeply personal and directly related to identity. It may be that the larger number of affected users was not included in the SEC report because 23andMe (like many companies that have suffered security breaches) does not want to include scraped data in the category of breached data. However, these distinctions ultimately make it difficult for users to understand the scope and impact of security incidents.
“I firmly believe that cyber insecurity is fundamentally a policy problem,” says Brett Callow, threat analyst at security firm Emsisoft. “We need standardised and uniform disclosure and reporting laws, prescribed language for those disclosures and reports, regulation and licensing of actors. Far too much happens in the shadows or is obscured by weasel words. It’s counterproductive and only helps the cybercriminals”.
Meanwhile, apparent 23andMe user Kendra Fee pointed out on Tuesday that 23andMe is notifying customers of changes to its terms of service regarding dispute resolution and arbitration. The company says the changes will “encourage the prompt resolution of any disputes” and “streamline arbitration proceedings when multiple similar claims are filed”. Users can opt out of the new terms by notifying the company within 30 days of receiving notice of the change.
