23andMe said raw genomic data and health reports were among the data stolen in a breach lasting between late April and late September 2023.
The latest details about the 23andMe hack were revealed in data breach notification letters submitted to the California Attorney General’s office and published on the AG’s website on or about Jan. 21.
23andMe data breach went undetected for 5 months
23andMe disclosed for the first time that the breach, which the company didn’t become aware of until early October, began on April 29, 2023.
For about five months, the attacker used credential stuffing to access at least 14,000 accounts directly, and further leveraged those accounts to download additional users’ data from the DNA Relatives and Family Tree profile features. 23andMe has said the total number of affected customers is about 6.9 million.
23andMe only became aware of the breach after a post was made on the unofficial 23andMe subreddit of the online social network Reddit on Oct. 1 by someone advertising the stolen data. In response, the company launched an investigation, contacted federal law enforcement, and engaged third-party incident response experts, according to the notices.
23andMe customers were required to reset their passwords on Oct. 10 and required to implement two-factor authentication (2FA) beginning on Nov. 6. The company concluded its investigation on Dec. 1 and disclosed the total number of victims shortly afterward.
Links to a file containing the stolen data were posted to the illicit BreachForums, and although these links expired within 24 hours of their creation, 23andMe said in its latest notifications that it is still working on removing reuploads of the file from other unspecified websites.
Mitch Tanenbaum, CISO at Turnkey Cybersecurity and Privacy Solutions and partner at CyberCecurity, opined in a blog post that the 23andMe cyberattack likely went undetected for so long due to a failure to log or alert on the right activity.
“[…] it is fair to say that if you don’t look for the right events, don’t alert on the right events and don’t investigate those events, hackers can roam freely, possibly for ever,” Tanenbaum wrote.
Raw genetic data, health reports stolen from credential-stuffed accounts
23andMe provided eight different versions of its data breach notification, including three emails and five formal letters. The different notices appear to apply to different recipients based on what data was leaked from their accounts, as well as whether this data was accessed directly through credential stuffing or indirectly through scraping the DNA Relatives feature.
One version of the notice informs recipients that their “uninterrupted raw genotype data” was downloaded or accessed from their credential-stuffed account.
Raw genetic data on 23andMe can be viewed using the “Browse Raw Data” feature or downloaded in a .txt file format. The raw genetic data provided by 23andMe tells customers the base pairs (combinations of A, T, G and C) found at specific gene marker locations on their chromosomes.
Raw genomic data files downloaded from 23andMe can be uploaded to other services for additional interpretation or to find genetic relatives who used other testing services. On some sites, such as GEDmatch, genetic data uploaded by users is used by law enforcement to compare with DNA evidence from criminal cases.
23andMe has indefinitely disabled the ability to download raw genetic data files in the wake of the cyberattack.
Other letters informed customers that health reports based on their genetic information were stolen in the breach, including reports about health predisposition, wellness and carrier status for certain diseases.
Reports 23andMe offers for those who use its health testing services include those for Type 2 diabetes predisposition, cystic fibrosis carrier status, likelihood of lactose intolerance and dozens more.
The remaining notices disclosed the different extents of DNA Relatives and Family Tree profile information scraped from the genetic relatives of those whose accounts were accessed. This data was accessible to the attackers because users have the option to share certain profile information with other users they are genetically related to.
Data leaked from the DNA Relatives and Family Tree features included ancestry reports, predicted relationships with DNA Relative matches, and self-reported information such as location, family names, profile picture, birth year and information published in the “Introduce yourself” section of a user’s profile.
23andMe stated that it does not believe the breach resulted in identity theft or fraud as the information stolen did not include Social Security numbers, driver’s license numbers or financial information.
Multiple lawsuits pending against 23andMe
Class action lawsuits related to the 23andMe cyberattack allege the company violated privacy laws, including the California Privacy Rights Act (CPRA), the California Confidentiality of Medical Information Act (CMIA) and the Illinois Genetic Information Privacy Act, by failing to sufficiently protect users' data.
23andMe denied the allegations in a letter to lawyers representing plaintiffs in one of the suits, stating the plaintiffs were “not affected by any security breach under the CPRA,” although the notices published on the California AG website include the subjects “Notice of Data Breach” and “Notice of Breach of Security.”
The company argued they are not responsible for the exposure of customer information because the perpetrator used credentials leaked in previous breaches unrelated to 23andMe, rather directly breaching 23andMe’s systems.
“[…] users used the same usernames and passwords on 23andMe.com as on other websites that had been subject to prior security breaches, and users negligently recycled and failed to update their passwords,” a lawyer for the company wrote.
23andMe updated its Terms of Use on Nov. 30, adding a clause that makes it more difficult for customers to pursue class action lawsuits.
SC Media reached out to 23andMe with questions about information contained in the recent notification letters, and did not receive a response.
