{"id":55350,"date":"2024-02-16T14:53:21","date_gmt":"2024-02-16T14:53:21","guid":{"rendered":"https:\/\/packetstormsecurity.com\/news\/view\/35547\/Hackers-Got-Nearly-7-Million-Peoples-Data-From-23andMe.html"},"modified":"2024-02-16T14:53:21","modified_gmt":"2024-02-16T14:53:21","slug":"hackers-got-nearly-7-million-peoples-data-from-23andme","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/hackers-got-nearly-7-million-peoples-data-from-23andme\/","title":{"rendered":"Hackers Got Nearly 7 Million People’s Data From 23andMe"},"content":{"rendered":"
<\/div>\n

T<\/span>hree years ago, a man in Florida named JL decided, on a whim, to send a tube of his spit to the genetic testing site 23andMe in exchange for an ancestry report. JL, like millions of other 23andMe participants before him, says he was often asked about his ethnicity and craved a deeper insight into his identity. He said he was surprised by the diversity of his test results, which showed he had some Ashkenazi Jewish heritage.<\/p>\n

JL said he didn\u2019t think much about the results until he learned of a huge breach at the company that exposed the data of nearly 7 million people<\/a>, about half of the company\u2019s customers. Worse, he later learned of a hacker going by the pseudonym \u201cGolem\u201d who had offered to sell the names, addresses and genetic heritage<\/a> reportedly belonging to 1 million 23andMe customers with similar Ashkenazi Jewish heritage on a shadowy dark web forum. Suddenly, JL worried his own flippant decision to catalog his genes could put him and his family at risk.<\/p>\n

<\/gu-island><\/figure>\n

\u201cI didn\u2019t know my family was going to potentially be a target,\u201d he said. \u201cI may have put my family and myself in danger for something I did out of curiosity more than anything.\u201d<\/p>\n

JL, who asked to only be identified by his initials due to the ongoing privacy issues, is one of two plaintiffs listed in a recent class-action lawsuit filed in California against 23andMe. Plaintiffs claim the company failed to adequately notify users of Jewish and Chinese heritage after they were allegedly targeted. The lawsuit claims hackers placed those users in \u201cspecially curated lists\u201d that could have been sold to individuals looking to do harm.<\/p>\n

23andMe has since confirmed hackers gained access to 14,000 user accounts over a span of five months last year, some of which revealed detailed, sensitive reports on users\u2019 health<\/a>. The company revealed details on the exact types of data stolen in its months-long breach in a January data breach notification letter sent<\/a> to California\u2019s attorney general earlier last month. Hackers accessed users\u2019 \u201cuninterrupted raw genotype data\u201d and other highly sensitive information, like health predisposition reports and carrier-status reports gleaned from the processing of a user\u2019s genetic information. Worse still, 23andMe confirmed the thieves also accessed other personal information from up to 5.5 million people who opted in to a feature that lets them find and connect with genetic relatives.<\/p>\n

23andMe only publicly acknowledged<\/a> the hackers\u2019 attacks after one user posted about the up-for-sale data on a 23andMe subreddit in early October. An investigation digging into the incident revealed hackers had actually been trying, sometimes successfully, to gain access since at least April 2023. The attacks had continued for nearly five months through the end of September. In an email sent to the Guardian, a 23andMe spokesperson said the company did not \u201cdetect a breach\u201d within 23andMe systems and instead attributed the incident to compromised recycled login credentials from certain users.<\/p>\n

A far larger subsection of users had other, potentially less sensitive data exposed through 23andMe\u2019s opt-in DNA relatives feature<\/a>, which automatically lets the company share data between other users on the platform who they may be related to. In other words, hackers who gained access to a user\u2019s account via the compromised passwords were also able to suck up data about potential relatives. The optional feature gives users insight into a variety of data points, including their relatives\u2019 name, their predicted relationship, and the percentage of DNA shared with matches. It can also include an individual ancestry report, matching DNA segments, and uploaded photos.<\/p>\n

Eli Wade-Scott, one of the attorneys representing JL in the class-action lawsuit, said these allegedly ethnicity-specific groupings could amount to a \u201chit list\u201d. Jay Edelson, another attorney representing those users, worried those lists of users could look attractive to terrorists looking to identify people of Jewish heritage. He also said Chinese intelligence agencies, which have a history of surveilling and intimidating dissidents abroad<\/a>, could use the data to target people critical of the government or even nation states.<\/p>\n