Two months after hackers offered stolen DNA profiles for sale on the infamous hacking site BreachForums, genetic testing company 23andMe Holding Co. has finally provided details of the hack via a regulatory filing.

In an amendment filing with the U.S. Securities and Exchange Commission on Friday, 23andMe said that after becoming aware of a threat actor posting online and claiming to have 23andMe user profile information on Oct. 1, it immediately commenced an investigation and hired third-party incident response experts to assist.

The investigation eventually determined that a threat actor accessed the accounts of 0.1% of the company’s global customer base, about 14,000 user accounts. Those accounts were found to have been accessed through a credential-stuffing attack, which involves hackers using compromised usernames and passwords from other hacks to gain access where users have used the same username and password across multiple sites.

The 14,000 compromised accounts do not sound significant in the larger scheme of things, but what the hackers did with that access is where it gets interesting. Using the access, “the threat actor also accessed a significant number of files containing profile information about other users’ ancestry that such users chose to share when opting into 23andMe’s DNA Relatives feature and posted certain information online,” 23andMe said in the SEC filing. 

According to Malwarebytes Labs, the access to the accounts gave the attackers access to roughly 5.5 million DNA Relative profiles and access to Family Tree profile information of 1.4 million additional DNA Relative participants.

DNA Relative profiles include self-reported information such as display names and locations and shared DNA percentages for DNAR matches, family names, predicted relationships and ancestry reports. Family Tree profiles contain display names, relationship labels and other information a user may have added, including birth year and location.

23andMe added in the filing that it is in the process of notifying users impacted by the stolen data as required by law and that it has taken further steps to protect user data. Those steps include resetting all user passwords and, from Nov. 6, requiring users to use two-factor authentication to log in.

“The recent breach at 23andMe is a sobering reminder of the sensitivity of genetic data and the need for robust cybersecurity measures,” Javvad Malik, lead security awareness advocate at security awareness training company KnowBe4 Inc., told SiliconANGLE. “The data accessed is not just a collection of email addresses or passwords, but intimate details of an individual’s genetic makeup – information that could have serious implications for privacy and could potentially be misused.”

Malik called out 23andMe, noting that there is “an element of transparency that needs to be addressed” as “23andMe’s lack of specifics about the scope of the breach leaves many questions unanswered, which does not instill confidence.”

“It’s critical for them to provide a clear account of the incident and outline the steps they’re taking to prevent similar breaches in the future, along with what measures are being taken to support affected users,” Malik added. “It’s a tough lesson, but one that all organizations can learn from to better protect their customer’s data.”

Photo: scalleja/Flick