In October we reported that the data of as many as seven million 23andMe customers were for sale on criminal forums following a password attack against the genomics company.
Now, a filing with the US Securities and Exchange Commission has provided some more insight into the data theft.
The filed amendment supplements the original Form 8-K submitted by 23andMe.
The amendment says that an investigation showed that the attacker was able to directly access the accounts of roughly 0.1% of 23andMe's users, which is about 14,000 of its 14 million customers.
The attacker accessed the accounts using credential stuffing which is where someone tries existing username and password combinations to see if they can log in to a service.
Because people often reuse passwords across accounts, cybercriminals buy those combinations and then use them to login on other services and platforms.
With the breached accounts at their disposal, the attacker used 23andMe's opt-in DNA Relatives feature-which matches users with their genetic relatives-to access information about millions of other users.
According to a spokesperson the DNAR profiles of roughly 5.5 million customers could be accessed in this way, plus the Family Tree profile information of 1.4 million additional DNA Relative participants.
The 5.5 million DNAR Profiles contained sensitive details including self-reported information like display names and locations, as well as shared DNA percentages for DNA Relatives matches, family names, predicted relationships, and ancestry reports.
For a subset of these accounts, the stolen data might contain health-related information based upon the user's genetics.
The 1.4 million Family Tree profiles contain display names and relationship labels, plus other information that a user may have added, including birth year and location.
23andMe is in the process of notifying users impacted by the incident.
The company said it believes that the attacker activity is contained, and that it is working to have the publicly-posted information taken down.
When the breach was first announced, 23andMe urged its users to ensure they have strong passwords, to avoid reusing passwords from other sites, and to enable multi-factor authentication.
There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.
You can make a stolen password useless to thieves by changing it.
Choose a strong password that you don't use for anything else.
Let a password manager choose one for you.
Some forms of two-factor authentication can be phished just as easily as a password.
Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.
This Cyber News was published on www.malwarebytes.com. Publication date: Mon, 04 Dec 2023 23:13:04 +0000