23andMe, a genetic testing company based in California, USA, admitted that nearly 7 million people have been affected by the security breach that put sensitive genetic information in the hands of hackers. According to the recent reports from 23andMe, the hackers only accessed approximately 14,000 personal files. However, because of an opt-in feature that allows DNA-related relatives to contact each other and learn more about their ancestry, the hacker could access vast information, i.e., approximately 7 million people were exposed.
Users choose to share vast information with 23andMe, including names, birth year, self-reported location, relationship labels, ancestry, and health information, for example, genetic predisposition to certain conditions like asthma and high blood pressure. Exposure to such information could have serious ramifications. In early October, a hacker claimed to have stolen DNA information from 23andMe in a hacking forum. The hacker went ahead and published the alleged data of 1 million users of Jewish Ashkenazi descent and one hundred thousand (100,000) Chinese users. The hackers asked the would-be buyers to pay between $1 and $10 for the data per individual account.
When 23andMe first disclosed the breach, they said it was most likely caused by customers re-using passwords that had appeared in other data breaches. As a result, 23andMe announced that they require two-factor authentication to boost the site’s security (mitigate credential stuffing). The company further stated that they expect to incur between $1 and $2 million in losses related to the breach.