Hackers have been capable of acquire entry to non-public info from about 6.9 million customers of genetic testing firm 23andMe, utilizing prospects’ previous passwords.
In some instances this included household timber, start years and geographic areas, the corporate mentioned.
After weeks of hypothesis the agency has put a quantity on the breach, with greater than half of its prospects affected.
The stolen knowledge doesn’t embrace DNA data.
23andMe is a big of the rising ancestor-tracing business. It presents genetic testing from DNA, with ancestry breakdown and personalised well being insights.
The biotechnology firm, which relies in South San Francisco, was not hacked itself however cyber-criminals logged into about 14,000 particular person accounts, or 0.1% of shoppers, by utilizing e mail and password particulars beforehand uncovered in different hacks.
The firm mentioned that by accessing these accounts, hackers have been capable of entry “a significant number of files containing profile information about other users’ ancestry”.
The criminals downloaded not simply the information from these accounts however the non-public info of all different customers they’d hyperlinks to throughout the sprawling household timber on the web site.
The stolen knowledge consists of info like names, how every particular person is linked and in some instances start years, areas, photos, addresses and the share of DNA shared with family.
Also, hackers have been capable of entry the household tree profile info of about 1.4 million different prospects collaborating within the DNA family function, together with show names and relationship labels.
One batch of knowledge was marketed on a hacking discussion board as a listing of individuals with Jewish ancestry, sparking considerations of focused assaults.
But there’s at present no proof that any of the datasets being marketed have had any consumers or that they’ve been utilized by criminals.
Oz Alashe, CEO of CybSafe, a threat administration platform, mentioned that the information breach at 23andMe “emphasises the importance of improving cyber-security behaviours in the general population”.
“Poorly secured accounts, with weak passwords and no two-factor authentication, put all those sharing their sensitive data at risk,” he mentioned.
23andMe mentioned it was now telling all affected prospects, as required by regulation. The agency will likely be forcing prospects to alter their passwords and enhance their account safety.
