The 23andMe Data Breach Keeps Spiralling
More details are emerging about a data breach the genetic testing company 23andMe first reported in October. But as the company shares more information, the situation is becoming even murkier and creating greater uncertainty for users attempting to understand the fallout.
23andMe said at the beginning of October that attackers had infiltrated some of its users’ accounts and piggybacked off of this access to scrape personal data from a larger subset of users through the company’s opt-in, social sharing service known as DNA Relatives. At the time, the company didn’t indicate how many users had been impacted, but hackers had already begun selling data on criminal forums that seemed to be taken from at least a million 23andMe users, if not more. In a US Securities and Exchange Commission filing on Friday, the company said that “the threat actor was able to access a very small percentage (0.1 %) of user accounts,” or roughly 14,000 given the company’s recent estimate that it has more than 14 million customers.
Fourteen thousand is a lot of people in itself, but the number didn’t account for the users impacted by the attacker’s data-scraping from DNA Relatives. The SEC filing simply noted that the incident also involved “a significant number of files containing profile information about other users’ ancestry.”
On Monday, 23andMe confirmed to TechCrunch that the attackers collected the personal data of about 5.5 million people who had opted in to DNA Relatives, as well as information from an additional 1.4 million DNA Relatives users who “had their Family Tree profile information accessed.” 23andMe subsequently shared this expanded information with WIRED as well.
Source: Wired