Hackers Steal and Publicly Peddle Genetic Profiles of Nearly 7 Million 23andMe Customers Via Password Reuse


Updated on:

A staggering data debacle rocked genetics testing firm 23andMe as hackers infiltrated over 6 million customer accounts in a credential stuffing bonanza. But the company’s flimsy response and internet underworld sales pitch the stolen data for all to see.

Initially downplaying breach impacts, 23andMe vastly underestimated the fallout from recycled passwords granting unauthorized access. Where it first admitted to 14,000 compromised users, in truth that figure ballooned 100x over exposing highly sensitive ancestry and family profiles.

The golden ticket for attackers became 23andMe’s DNA Relatives opt-in, allowing account comparisons to spot bloodline connections. Once inside one account, the feature created a bridge to traverse contacts and access associated users and family tree data.

Soon over 5.5 million DNA Relatives users saw personal genomics profiles harvested alongside 1.4 million more with exposed family trees. Combine the two subgroups and 23andMe essentially hemorrhaged insights on a staggering 15% of its customer roster.

Yet perhaps worse than the break-in itself is how attackers openly flaunted their genetic bounty. Screenshots confirming obtainment of hundreds of thousands of Chinese and Jewish DNA samples surfaced on underground site Breach Forums.

Despite assertations otherwise, clearly 23andMe security failed on multiple fronts enabling both massive data theft and subsequent public resale visibility. All while hapless users awaited proactive breach notifications that never arrived.

The episode underscores inherent risks entrusting irreversible personal blueprints to corporations valuing other priorities first. When your very identity hangs in the balance, yet caretakers deploy pedestrian security and transparency, no wonder trust evaporates.

So those contemplating genetic testing should weigh benefits against the permanence of data loss should the unthinkable occur. As 23andMe just demonstrated on epic scale, promises protecting sensitive information ring hollow when hackers come calling.

Leave a Comment

For security, use of Google's reCAPTCHA service is required which is subject to the Google Privacy Policy and Terms of Use.