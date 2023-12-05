By Shiona McCallum and Joe Tidy

BBC News

1 hour ago

Image source, Getty Images

Hackers have been able to gain access to the personal information of approximately 6.9 million users of genetic testing company 23andMe by using customers’ old passwords.

In some cases, this includes family trees, birth years and geographic locations, the company said.

After weeks of speculation the company has put a number on the breach, which affected more than half of its customers.

The stolen data does not include DNA records.

23andMe is a giant in the growing ancestry-tracing industry. It offers genetic testing from DNA with genealogy analysis and personalized health insights.

The biotechnology company, which is based in South San Francisco, was not hacked itself, but cyber-criminals logged into about 14,000 individual accounts, or 0.1% of its customers, using email and password details previously exposed in other hacks. .

The company said that by accessing those accounts, hackers were able to access “a significant number of files containing profile information about the ancestry of other users.”

The criminals downloaded not only data from those accounts, but also the personal information of all other users linked to the family trees spanning the website.

The data stolen includes information such as names, how each person is related and in some cases birth years, locations, pictures, addresses and the percentage of DNA shared with relatives.

As first reported by TechCrunch, hackers were able to access the Family Tree profile information of approximately 1.4 million other customers participating in the DNA Relatives feature, including display names and relationship labels.

A batch of data was advertised on a hacking forum as a list of people of Jewish ancestry, raising concerns of targeted attacks.

But there is currently no evidence that any of the datasets being advertised had any buyers or were used by criminals.

Oz Alashe, CEO of risk management platform CybSafe, said the data breach at 23andMe “emphasizes the importance of improving cyber-security behavior in the general population”.

“Poorly secured accounts, with weak passwords and no two-factor authentication, put everyone who shares their sensitive data at risk,” he said.

23andMe said it is now notifying all affected customers as required by law. The company will force customers to change their passwords and improve the security of their accounts.

Source: www.bbc.com