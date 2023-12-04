23andMe confirmed that the recent breach leaked the data of 6.9 million users. In a statement emailed to the vergeCompany spokesperson Andy Kill says the breach affected about 5.5 million users who had DNA Relatives enabled, a feature that matches users with similar genetic structure, while an additional 1.4 million people had their family members matched. Had access to tree profiles.

In a filing with the Securities and Exchange Commission (SEC) and in an update to its blog post on December 1, 23andMe said that a threat actor is using a credential stuffing attack – with account information obtained in other security breaches. Logging in, usually due to password reuse – directly accessed 0.1 percent of user accounts, making up about 14,000 users. With access to those accounts, the attackers used the DNA Relatives feature, which matches people with other members with whom they may share ancestry, to access additional information from millions of other profiles.

“We have yet to receive any indication that a data security incident has occurred on our systems.”

The hacker said this in its Friday statement Too A “large number of files” were accessed through the Relatives feature but do not include the figures mentioned above.

kill tells the verge, “We still have no indication that a data security incident occurred within our systems, or that 23andMe was the source of the account credentials used in these attacks.” This statement contradicts the fact that the information of 6.9 million users is now in the hands of attackers. Most of those affected are because they opted into a feature provided by 23andMe, which failed to prevent the breach by limiting access to information or requiring additional account security.

The first public sign of the problem appeared in October when 23andMe confirmed that user information was for sale on the dark web. The genetic testing site later said it was investigating claims by a hacker that they had leaked 4 million genetic profiles of people in Great Britain and “the wealthiest people living in the US and Western Europe”.

The 5.5 million DNA Relatives profiles leaked included users who were not part of the initial credential stuffing attack. The data exposed included things like display names, estimated relationships with others, the amount of DNA shared by users with matches, ancestry reports, self-reported locations, ancestor birth locations, family names, profile pictures and more. Are included.

The remaining 1.4 million users who also participated in the DNA Relatives feature gained access to their family tree profiles. This feature likewise includes display name, relationship label, year of birth, and self-reported location. This does not include the percentage of DNA shared with potential relatives at the site or matching DNA segments.

23andMe says it is still in the process of notifying users affected by the breach. It has also started warning users to reset their passwords and now requires two-step verification for new and existing users, which was previously optional.

Source: www.theverge.com