DNA testing company 23andMe has released further details surrounding an October data breach, where user profile information had been accessed and downloaded at the hands of a threat actor.
On Oct. 1, a threat actor made a post on the Dark Web claiming to possess profile information of 23andMe users; later, the perpetrators released 4 million more records they alleged to be stolen from the company.
This led the company to launch an investigation alongside third-party experts.
In light of the investigation, 23andMe now reports that the information that was accessed without authorization is a small percentage of user accounts.
It also confirmed that the incident was a credential-stuffing attack in which usernames and passwords used for the 23andMe website were the same credentials used for other websites, from which they were stolen.
The compromised information varies from user to user but includes ancestry and health information.
The threat actor also accessed user files related to 23andMe's DNA Relatives feature and proceeded to post this information online.
23andMe now believes that the activity of the threat actor has been contained and is providing notice to impacted individuals.
It also requires password changes from its users and implemented a two-step authentication login process for its website.
Multiple class action claims have been filed against the company, and it expects to spend anywhere between $1 million to $2 million in expenses related to the breach in its third fiscal quarter.
This Cyber News was published on www.darkreading.com. Publication date: Mon, 04 Dec 2023 21:10:24 +0000