Millions of customer details hacked into commercial DNA database

A hacker attack on the American commercial DNA database leaked the data of 6.9 million people. The company 23andMe confirmed this to The Verge. There were significantly fewer victims before.

At 23andMe, people can get DNA tested for familial or hereditary diseases. The company’s tests are also available outside the United States, including the Netherlands.

A spokesperson for the Dutch data protection authority said 23andMe had reported that information from the Dutch had also been leaked. The supervisor cannot say how many victims were affected here. The company announced that it will inform the relevant people in the Netherlands.

Hackers carried out the attack in early October, but the extent to which data was stolen has only now become clear. The company confirmed that user data has been made available for sale on the dark web in recent months.

Health information

A few days ago, 23andMe had offered more information in a letter to the U.S. Securities and Exchange Commission (SEC), but at the time there was significantly less stolen data.

In its description, 23andMe writes that this is family tree information, but also health information based in part on users’ DNA analysis.

The perpetrators managed to log into the accounts of 14,000 users using information obtained from other attacks (often using reused passwords). That’s about 0.1 percent of 23andMe’s total customer base.

Change passwords

But that’s not all, it’s now revealed. Attackers can use the “DNA relatives” function, a way to track down (distant) relatives with these 14,000 accounts. This will allow them to access the information of millions of other users.

23andMe said it was in the process of notifying everyone affected by the leak. The company also warns users to change their passwords. Two-step verification is also now mandatory. This was only an option until now.

Source: NOS