More details are emerging about a data breach the genetic testing company 23andMe first reported in October. But as the company shares more information, the situation is becoming even murkier and creating greater uncertainty for users attempting to understand the fallout.
23andMe said at the beginning of October that attackers had infiltrated some of its users’ accounts and piggybacked off of this access to scrape personal data from a larger subset of users through the company’s opt-in, social sharing service known as “DNA Relatives.” At the time, the company didn’t indicate how many users had been impacted, but hackers had already begun selling data on criminal forums that seemed to be taken from at least a million 23andMe users if not more. In a United States Securities and Exchange Commission (SEC) filing on Friday, the company said that “the threat actor was able to access a very small percentage (0.1%) of user accounts” or roughly 14,000 given the company’s recent estimate that it has more than 14 million customers.
Fourteen thousand is a lot of people in itself, but the number didn’t account for the users impacted by the attacker’s data scraping from DNA Relatives. The SEC filing simply noted that the incident also involved “a significant number of files containing profile information about other users’ ancestry.”
On Monday, 23andMe confirmed to TechCrunch that the attackers collected the personal data of about 5.5 million people who had opted into DNA Relatives, as well as information from an additional 1.4 million DNA Relatives users who “had their Family Tree profile information accessed.” 23andMe subsequently shared this expanded information with WIRED as well.
From the group of 5.5 million people, hackers stole display names, most recent login, relationship labels, predicted relationships, and percentage of DNA shared with DNA Relatives matches. In some cases, this group also had other data compromised, including ancestry reports and details about where on their chromosomes they and their relatives had matching DNA, self-reported locations, ancestor birth locations, family names, profile pictures, birth years, links to self-created family trees, and other profile information. The smaller (but still massive) subset of 1.4 million impacted DNA Relatives users specifically had display names and relationship labels stolen and, in some cases, also had birth years and self-reported location data affected.
Asked why this expanded information wasn’t in the SEC filing, 23andMe spokesperson Katie Watson tells WIRED that “we are only elaborating on the information included in the SEC filing by providing more specific numbers.”
23andMe has maintained that attackers used a technique known as “credential stuffing” to compromise the 14,000 user accounts—finding instances where leaked login credentials from other services were reused on 23andMe. In the wake of the incident, the company forced all of its users to reset their passwords and began requiring two-factor authentication for all customers. In the weeks after 23andMe initially disclosed its breach, other similar services including Ancestry and MyHeritage also began promoting or requiring two-factor authentication on their accounts.
In October and again this week, though, WIRED pressed 23andMe on its finding that the user account compromises were attributable solely to credential stuffing attacks. The company has repeatedly declined to comment, but multiple users have noted that they are certain their 23andMe account usernames and passwords were unique and could not have been exposed somewhere else in another leak.
On Tuesday, for example, US National Security Agency cybersecurity director Rob Joyce noted on his personal X (formerly Twitter) account: “They disclose the credential stuffing attacks, but they don’t say how the accounts were targeted for stuffing. This was unique and not an account that could be scraped from the web or other sites.” Joyce, who was apparently a 23andMe user impacted by the breach, wrote that he creates a unique email address for each company he makes an account with. “That account is used NOWHERE else and it was unsuccessfully stuffed,” he wrote, adding: “Personal opinion: @23andMe hack was STILL worse than they are owning with the new announcement.”
23andMe has not clarified how such accounts can be reconciled with the company’s disclosures. Furthermore, it may be that the larger numbers of impacted users were not in the SEC report because 23andMe (like many companies that have suffered security breaches) does not want to include scraped data in the category of breached data. These inconsistencies, though, ultimately make it difficult for users to grasp the scale and impact of security incidents.
“I firmly believe that cyber-insecurity is fundamentally a policy problem,” says Brett Callow, a threat analyst at security firm Emsisoft. “We need standardized and uniform disclosure and reporting laws, prescribed language for those disclosures and reports, regulation and licensing of negotiators. Far too much happens in the shadows or is obfuscated by weasel words. It’s counterproductive and helps only the cybercriminals.”
Meanwhile, apparent 23andMe user Kendra Fee flagged on Tuesday that 23andMe is notifying customers about changes to its terms of service related to dispute resolutions and arbitration. The company says that the changes will “encourage a prompt resolution of any disputes” and “streamline arbitration proceedings where multiple similar claims are filed.” Users can opt out of the new terms by notifying the company that they decline within 30 days of receiving notice of the change.