Family search and DNA testing service 23andMe provided further details Monday about an October data breach that exposed personal information on nearly 7 million users.
Hackers reportedly used “credential stuffing,” a method that uses login and password information from other websites, to gain direct access to data on about 14,000 23andMe users, then leveraged that entry point to harvest information from millions of additional accounts. The data breach exposed user information including family trees, ZIP codes and dates of birth.
23andMe’s genetic testing kits include options for ancestry breakdowns, traits, health predisposition and carrier reports. The data leaked did not include genomic information, but did contain genetic ancestry results.
The company says it has completed its investigation of the incident and upgraded security features, including adoption of a new, two-factor authentication process for users.
“23andMe has completed its investigation, assisted by third-party forensics experts. We are in the process of notifying affected customers, as required by law,” the company wrote in a website posting over the weekend. “We have taken steps to further protect customer data, including requiring all existing customers to reset their password and requiring two-step verification for all new and existing customers.”
According to a report from The New York Times, 23andMe has not uncovered any evidence that hackers have used the customer data for any nefarious purposes.
“We have not learned of any reports of inappropriate use of the data after the leak,” a 23andMe spokeswoman told the Times on Monday.
The Identity Theft Resource Center reports data breaches in just the first nine months of 2023 surpassed an all-time yearly record set in 2021. Through the end of September of this year, the center recorded over 2,100 data compromises, sailing by a record 1,862 breaches in all of 2021.
Through the first three quarters of 2023, hackers illegally accessed information on nearly 234 million victims, according to the report.
“While setting a record for the number of data breaches is attention-grabbing, unfortunately, it is not surprising,” Eva Velasquez, president and CEO of the Identity Theft Resource Center, said in the report. “There are a handful of reasons for the rise in data compromises, ranging from the drastic uptick in Zero-Day attacks to a new wave of ransomware attacks as new ransomware groups enter the criminal identity marketplace. Now that we have broken the previous annual data compromise record, the question remains: by how much?”