Site that handles intimate personal data gets hacked; customers shocked and upset

Family connections - and a lack of internal data security protocols between them - were responsible for turning the hack into a major data breach.
6 December 2023

It could’ve all been intercepted in the mail… Via Getty images.

  • A 23andMe hack in October saw users’ data stolen.
  • The company says the hack affected 0.1% of customers, but reports say it could be as many as half.
  • Using sold credentials, the hackers got into the site ‘legally’ – but were then able to multiply their data haul.

When an app or website asks – and when don’t they in this data economy? – it’s good practice to be vague with your personal details. Sure, it’s nice to get a corporate happy birthday from Gail’s bakery (and a free pastry), but your data almost immediately becomes a sitting duck for bad actors who, armed with intimate personal details, can get up to all sorts of mischief.

People, generally, have at least some understanding of this notion in 2023. But somehow, an inverse ratio of complacency plays in people’s heads. The more important, the more intimate, the more science-fictionally dangerous the data we are required to submit to an app or a website to make it work, the more certain we perversely become that the data will be safe – because surely they wouldn’t be allowed to collect such data if they weren’t armed to the teeth against data-pilfering swine!

Welcome to the 23andMe hack.

No zombies today!

Before the Twilight Zone theme starts up in your head and you start to imagine armies of zombie drones cloned from your submitted DNA, it’s important to understand that the compromised data of the 14 million users affected by the hack was not DNA data. Yes, absolutely, it would be a better story if it had been, but the hack was of personal data, not genetic data.

Nevertheless, 14 million users equates to around half of 23andMe’s user base, so while we’re not talking about a zombie apocalypse, we are talking about a massively significant data breach.

The 14 million users figure was reported by TechCrunch – the company itself initially annoucned the hack had only affected 0.1% of its users – 14,000 people, rather than 14 million. There are reasons for the discrepancy which speak to the detail of the attack

23and Me is a giant in the (admittedly niche) ancestor-tracing industry, offering genetic testing from DNA, with ancestry breakdown and personalized health insights.

But here’s the second surprising thing about the 23andMe hack. The company, which is based in San Francisco, wasn’t hacked.

Then why do we call it the 23andMe hack? Because cybercriminals logged in to roughly 14,000 individual accounts – that 0.1% claimed by the comapny – using legitimate email and password details that had been exposed by previous hacks.

More and more information on the 23andMe hack is emerging.

More and more information coming on the hack of a genetic information matrix.

Once they were in the system though, the data-thieves were able to find their way into wha tthe company called “a significant number of files containing profile information about other users’ ancestry.”

They were able to do that because around 5.5 million people had opted in to 23andMe’s ‘DNA Relatives’ feature, which allows customers to automatically share some of their data with others. Because of the way the feature works, by hacking one account, criminals could see the personal data of not only the account holder, but of their relatives too.

Suddenly, the 23andMe hack became a real data ball game.

How did the 23andMe hack work? More or less like a family tree.

How to spread a data hack? Right along the branches.

The family tree hack

The criminals downloaded not just the data from the accounts into which they legitimately signed with previously-stolen emails and passwords, but also the private information of all the other users to whom they had links across the family trees on the website.

So, if not genetic data, what kind of data did the 23andMe hackers download? Everything from names, links between people, and birth years, to locations, pictures, addresses and the percentage of DNA shared with relatives.

Nothing major!

In early October, a hacker claimed to have stolen the DNA information of 23andMe users on a well-known hacking forum. As proof, the hacker published the data of one million users of Jewish Ashkenazi descent and 100,000 Chinese users, asking $1-$10 for the data per individual account login.

There’s currently no evidence that any of the datasets stolen in the subsequent 23andMe hack have had buyers, or been used by criminals.

Yet.

Oz Alashe, CEO of CybSafe, a risk management platform, said that the data breach at 23andMe “emphasizes the importance of improving cybersecurity behaviors in the general population.”

“Poorly secured accounts, with weak passwords and no two-factor authentication, put all those sharing their sensitive data at risk,” he said.

It’s required by law that 23andMe must now inform all the customers affected. That will force customers to change passwords and improve account security, too.

The lesson of the 23andMe hack

If there’s a lesson more people need to learn in the 21st century, it’s the importance of cyber-hygiene cybersecurity.

At least 14,000 customers of 23andMe just learned a harsh lesson – possibly as many as 14 million.

The lure of websites like 23andMe is easy to understand – it’s fun and intresting to find out about your family history.

The hackers probably enjoyed it a great deal, too. And while the details may not have yet been sold, no one pulls off a data haul like this for simple jollification.

Watch this space.