How 23andMe has responded, post breach

The genetic testing provider 23andMe changed its terms of service, and required users to change their passwords and set up two-factor authentication, following password compromises that led to a potential exposure of millions of profile records.

What was stolen. In an October breach, hackers were able to access 14,000 user profiles, which then compromised the data of approximately 7 million DNA Relatives profiles, along with about 1.4 million Family Tree feature profiles, according to an announcement from the company.

DNA Relative details include “percentage of DNA shared with your matches,” location, ancestry reports, profile pictures, birth year, and a family tree link. (The Family Tree feature is a more limited subset of DNA Relatives.)

“The issue here is that 23andMe is a social site that also has healthcare information,” according to Ryan McGeehan, owner of cybersecurity consulting firm R10N Security. “And both of these increase the risk of exposure of the data, and the value of the data itself,” McGeehan told the Wall Street Journal on Dec. 5.

23andMe confirmed to BleepingComputer in October that the data had circulated on hacker forums.

23andHowTho: The company insists the compromise occurred because of a tactic known as credential stuffing and not a system vulnerability. “Usernames and passwords that were used on 23andMe.com were the same as those used on other websites that have been previously compromised or otherwise available,” the company claimed on its blog.

A 2022 report from Okta noted a high percentage of credential-stuffing attacks; the authentication vendor detected almost 10 billion credential stuffing events on its platform in the first 90 days of the year, “representing approximately 34% of overall traffic/authentication events.”’

In its blog post, 23andMe stated it “now requires all new and existing customers to login using two-step verification.”

What’s happened since: The 23andMe team updated its terms of service on Nov. 30, calling for “dispute resolution by a deciding arbitrator instead of courts.” When asked why the company made the changes, VP of Communications Katie Watson directed IT Brew to the blog post.

Chicago-Kent College of Law professor Nancy Kim told Axios that the company “will likely struggle to prove” that it provided the reasonable notice and opt-out options required for such changes.

What’s troubling: Leaked genetic data compromises the privacy of other members along the family tree.

“When you are giving this [genetic data], you are associating a lot of ancestry: maybe your uncle, maybe your grandfather, or maybe some other people who never agreed to give this information,” Iskander Sanchez-Rola, director of privacy innovation at cybersecurity-services provider Gen, told IT Brew.