Jump to content

23andMe notifies customers of data breach into its 'DNA Relatives' feature

David H. Lipman

Recommended Posts

23andMe notifies customers of data breach into its 'DNA Relatives' feature


SAN FRANCISCO, Oct 24 (Reuters) - Genetics testing company 23andMe (ME.O) on Tuesday sent emails to several customers to inform them of a breach into the "DNA Relatives" feature that allowed them to compare ancestry information with users worldwide.

After a hacker advertised millions of "pieces of data" stolen from 23andMe on an online forum this month, the company had said it was working with federal law enforcement and forensic experts to investigate it.

In the new emails, a copy of which was seen by Reuters, 23andMe told customers there was a breach of one or more accounts connected to theirs through the "DNA Relatives" feature. That feature allows users around the world to connect and share their personal data including relationship labels, ancestry reports and matching DNA segments, location, birth year and family names, among other things.

"There was unauthorized access to one or more 23andMe accounts that were connected to you through DNA Relatives," the company told customers in the email on Tuesday. "As a result, the DNA Relatives profile information you provided in this feature was exposed to the threat actor."

23andMe provides DNA testing that helps users learn more about their ancestry. Since news of the hack, many customers have expressed worries their ethnicity and other sensitive information could be used against them if leaked. A U.S. lawmaker last week sought more detail on the leaks.

Several users on social media on Tuesday said they got the email, but it was unclear how many customers had been informed. 23andMe spokeswoman Katie Watson declined to comment, citing its ongoing probe, and referred to the blog where the company said on Oct. 20 that it was temporarily disabling features in the "DNA Relatives" to protect user privacy.


Earlier, the company had said hackers may have used credentials leaked from other websites to breach 23andMe accounts - a technique known as 'credential stuffing'. It advised users change their login information and enable two-factor authentication to prevent compromise.




23andMe says a data breach affected nearly half of its 14 million users


A user data hack within 23andMe is reportedly far more severe than what representatives first admitted to earlier this year. Although initially estimated to affect less than one percent of users, revised assessments confirmed by a company spokesperson over the weekend indicate as many as half of all 23andMe accounts could be involved in the security breach.

[Related: The Opt-Out: 5 reasons to skip at-home genetic testing.]

Back in October, the popular genetic testing company revealed hackers had gained access to the personal information of a portion of users—such as names, birth years, familial relationships, DNA info, ancestry reports, self-reported locations, and DNA data. 23andMe claims the breach was most likely the result of brute force attacks. In such instances, malicious actors take advantage of a customer’s previously leaked login information, usually repeated passwords and usernames used across multiple internet accounts. 23andMe would not offer concrete numbers for nearly another two months—on December 1, new Securities and Exchange Commission revealed the company estimated only 0.1 percent of users, or roughly 14,000 customers, were directly affected. In the same documents, however, 23andMe also admitted a “significant number” of other users’ ancestry information may have been also tangentially included in the leak.

Over the weekend, TechCrunch speaking with 23andMe officials confirmed the final tally of data breach victims: roughly 6.9 million users, or about half of all accounts.

Those users include an estimated 5.5 million people who previously opted into the service’s DNA Relatives feature, which allows automatic sharing of some personal data between users. In addition to those customers, hackers stole Family Tree profile data from another 1.4 million people who also used the DNA Relatives feature. The increase in victim estimates allegedly stems from the DNA Relatives feature allowing hackers to not only see a compromised user’s information, but the information of all their listed relatives.

[Related: Why government agencies keep getting hacked.]

And while the hacking incidents were first publicly announced in October, evidence suggests the breaches occurred as much as two months earlier. At that time, one user on a popular hacking forum offered over 300 terabytes of alleged 23andMe profile data in exchange for $50 million, or between $1,000 and $5,000 for small portions of the cache.

On a separate hacking forum in October, another user announced their possession of alleged data for 1 million users of Ashkenazi Jewish descent alongside 100,000 Chinese accounts—interested parties could purchase the information for between $1 and $10 an account.

23andMe, alongside genetic testing companies such as MyHeritage and Ancestry, have instituted mandatory two-factor authentication methods for all accounts since the breach’s October confirmation.


  • Like 1
  • Sad 1
Link to post
Share on other sites

Not just breached but data sold or even harvested for Familial DNA.

When sites say they are "secure" because they use HTTPS, be skeptical as there is MORE than just HTTPS that makes a site truly "secure".

Edited by David H. Lipman
Edited for content, clarity, spelling and/or grammar
Link to post
Share on other sites


My guess it could be used in an evil fashion against an ethnic group.  Generalized, a Haplotype may be sought and used for Ethnic Cleansing.  THAT would be evil for sure.

Simply... It can be used to find relatives in a family group and as such it may be used in many scenarios.  The Wiki page references some cases of law.  Another example may be the Privacy of a Mother who gives up a child for adoption and does NOT want to be known. 



  • Like 1
  • Sad 1
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.