Genetic testing company revealed of data breach affecting 23andMe users that was disclosed earlier this fall. The company says its investigation found hackers were able to access information from 14,000 userbase.
Based on its investigation hackers had accessed 0.1% of its customer base.
When the breach was first revealed in October, the company said its investigation “found that no genetic testing results have been leaked.” According to the new filing, the data “generally included ancestry information, and, for a subset of those accounts, health-related information based upon the user’s genetics.”
All of this was obtained through a credential-stuffing attack, in which hackers used login information from other, previously compromised websites to access those users’ accounts on other sites. In doing this, the filing says, “the threat actor also accessed a significant number of files containing profile information about other users’ ancestry that such users chose to share when opting in to 23andMe’s DNA Relatives feature and posted certain information online.”
Engadget has reached out to 23andMe for comment. Following the discovery of the breach, 23andMe instructed affected users to change their passwords and later rolled out two-factor authentication for all of its customers.
The company also wrote in the filing that it “believes that the threat actor activity is contained,” and is working to have the publicly-posted information taken down.
“While no company can ever completely eliminate the risk of a cyber attack, the company has taken certain steps to further protect its users’ data,” said 23andMe.
Losses incurred goes upto to $1 million and $2 million in one-time expenses related to the incident during its fiscal third quarter. The company did not specify what that “significant number” of files is, nor how many of these “other users” were impacted as per IANS.
(Image courtesy: www.portswigger.net)