Genetic testing company 23andMe discloses security breach affecting 6.9 million users

Bad news if you have a 23andMe account: the popular genetics testing company recently reported a massive data breach that affected 6.9 million users of its various services.

The report comes as the conclusion of an ongoing investigation into a data breach discovered in early October. The investigation revealed that over 14,000 user accounts were accessed by unauthorized parties (i.e., hackers).

While this is a relatively small scale breach, a feature that links various accounts across 23andMe's different services allowed the hackers to access the personal data of 6.9 million users. The malicious party accessed the personal data of toughly 5.5 million DNA Relatives profiles and about 1.4 million Family Tree profiles. These profiles share data automatically to match users with potential relations across 23andMe. 

These features exposed a variety of personal identifiers, including users' names, locations, birth years, relations to other users, ancestry reports, and more. 

The hackers gained access to the initial 14,000 accounts via a technique known as "credential stuffing," which occurs when password and usernames from other compromised websites are the same as a targeted website. In other words, the compromised accounts had usernames and passwords that were used on other websites that had prior data breaches. This attack is an important reminder to everyone to use a different username and password for each website. 

23andMe stated that, to the extent the law requires, it will notify existing customers. The platform is also enforcing two-factor authentication (2FA) practices for new and current users. Existing customers will be enrolled in an email verification system for 2FA. 

Buy the Yubico YubiKey 5Ci hardware security key on Amazon.