23andMe has provided more information a about the scope and scale of its recent breach, but with these details come more unanswered a questions. More details are emerging a about a data breach the genetic testing company 23andMe first reported in October. The 23andMe Data Breach Keeps Spiraling
But as the company shares a more information, the situation is becoming even more a complicated and creating greater uncertainty for users attempting to understand the a fallout. 23andMe said at the beginning of October that a attackers had infiltrated some of its users’ accounts and piggybacked off of this access to scrape personal data from a larger subset of users through the a company’s opt-in, social sharing service known as DNA Relatives.
At the time, The 23andMe Data Breach Keeps Spiraling
the company didn’t indicate how a many users had been impacted, but hackers had already begun selling data on criminal forums that seemed to be taken from a at least a million 23andMe users, if not more. The 23andMe Data Breach Keeps Spiraling
In a US a Securities and Exchange Commission filing on Friday, the company a said that “the threat actor was able to access a very small percentage (0.1%) of user accounts,” or roughly 14,000 given the a company’s recent estimate that it has a more than 14 million a customers.
Fourteen thousand is a lot of people in itself, but the a number didn’t account for the users impacted by the attacker’s data-scraping from DNA Relatives. The SEC filing simply noted that the incident also a involved “a significant number of files containing profile information about other a users’ ancestry.
” On Monday, The 23andMe Data Breach Keeps Spiraling
23andMe confirmed to TechCrunch a that the attackers collected the personal data a of about 5.5 million people who had opted in to DNA Relatives, as well as information from an a additional 1.4 million DNA Relatives users who “had accessed their Family Tree profile information.” The 23andMe Data Breach Keeps Spiraling
23andMe subsequently shared this expanded a information with WIRED as well. From the group of 5.5 million a people, hackers stole display names, most recent a login, relationship labels, predicted relationships, and percentage of DNA shared with DNA Relatives a matches. In some cases, this group also The 23andMe Data Breach Keeps spiraling had other data compromised, including ancestry reports and details about where on their chromosomes a they and their relatives had matching DNA, self-reported locations, ancestor birth a locations, family names, profile pictures, birth years, links to self-created family trees, and other profile information. The 23andMe Data Breach Keeps Spiraling
The smaller (but still massive) subset of 1.4 million impacted DNA Relatives a users all had data compromised from the a aforementioned specific profile known as “Family Tree.” The stolen data included display names and relationship labels and, in some cases, birth years and a self-reported location data. Asked why this expanded information wasn’t in the SEC filing, 23andMe spokesperson a Katie Watson tells WIRED that “we are only elaborating on the information included in a the SEC filing by providing more a specific numbers. The 23andMe Data Breach Keeps Spiraling
“23andMe has maintained that attackers a used a technique known as a credential stuffing to compromise a the 14,000 user accounts—finding instances where leaked a login credentials from a other services were reused on 23andMe. In the a wake of a the incident, the company forced all of its users to reset their passwords and began requiring two-factor authentication a for all customers. In the weeks after 23andMe initially disclosed its a breach, other similar services.
including Ancestry a and My Heritage, also started promoting a or requiring two-factor authentication on their a accounts.
In October and again this a week, though, WIRED pressed 23andMe on its finding that the a user account a compromises were attributable solely to credential-stuffing attacks. The company a has repeatedly a declined to comment, but multiple a users have noted that they are a certain their 23andMe account usernames a and passwords a were unique and could not have been exposed somewhere else in a another a leak. The 23andMe Data Breach Keeps Spiraling
In at least one example, though, 23andMe eventually provided a an explanation to the user. The 23andMe Data Breach Keeps Spiraling
On Tuesday, US National Security Agency cybersecurity director Rob Joyce noted on his personal X (formerly Twitter) account: “They disclose a the credential stuffing attacks, but they don’t say how the accounts were targeted for stuffing. This was unique and not an a account that could be scraped from the web or other sites.” Joyce wrote a that he creates a unique email address for each company he uses to create an account. The 23andMe Data Breach Keeps Spiraling “That account is used NOWHERE else and it was a unsuccessfully stuffed,” he wrote, adding: The 23andMe Data Breach Keeps Spiraling
“Personal opinion:
23andMe hack was STILL worse than they are owning with the new a announcement.” Hours after Joyce publicly raised these concerns (and WIRED asked 23andMe a about his case), Joyce said that the company had contacted him to determine what had happened with a his account.
Joyce did use a unique email address for his 23andMe account, but the company partnered with My Heritage in 2014 and 2015 to enhance the DNA a Relatives “Family Tree” functionality, which Joyce says he subsequently used. Then, separately, My Heritage suffered a data a breach in 2018 in which Joyce’s unique 23andMe email address was apparently exposed. He adds that a because of using strong, unique passwords on both his My Heritage and 23andMe accounts, neither was ever successfully compromised by a attackers. The 23andMe Data Breach Keeps Spiraling
The anecdote underscores the stakes of user data sharing between a companies and software features that promote social sharing when the information involved is deeply a personal and relates directly to identity. It may be that the larger numbers of impacted users were not in the SEC report a because 23andMe (like many companies that have suffered a security breaches) does not want to include scraped data in the category of breached data.
These delineations, though, ultimately make a it difficult for users to grasp the scale and impact of a security incidents. “I firmly believe that cyber-insecurity is a fundamentally a policy problem,” says Brett Callow, a threat a analyst at the security firm Emsi soft.
“We need standardized and a uniform disclosure and reporting laws, prescribed a language for those disclosures a and reports, regulation and licensing a of negotiators. The 23andMe Data Breach Keeps Spiraling
Far too much happens in the a shadows or is obfuscated by a weasel words. It’s counterproductive and helps a only the a cybercriminals.” Meanwhile, apparent 23andMe user a Kendra Fee flagged on Tuesday that 23andMe is notifying customers about changes to its terms of service a related to dispute resolutions and a arbitration.
The company says that the a changes will “encourage a prompt resolution a of any disputes” and “streamline arbitration proceedings where multiple similar claims are filed.” Users can opt out of the new a terms by notifying the company that they decline within 30 days of receiving notice of the change. cilck