News Heading

23andMe Security Breach Results in Theft of Raw Genotype Data, Health Reports

Reading time: 2 min

Updated on Feb 3, 2024

  • Shipra Sanganeria

    Written by: Shipra Sanganeria Cybersecurity & Tech Writer

  • Justyn Newman

    Fact-Checked by Justyn Newman Head Content Manager

Popular US-based genetic testing service provider, 23andMe notified customers that hackers may have stolen their sensitive information, including certain genotype data and health reports.

The security breach was first noticed after some of the stolen data was published on the popular hacking site, BreachForums and the unofficial 23andMe subreddit site, in October last year.

Following which an internal investigation was launched, which revealed that between April to September 2023, hackers had used credential stuffing attacks to access registered users’ data.

In a notification letter sent to the Office of California’s Attorney General, 23andMe stated, ‘’threat actor accessed those accounts where the usernames and passwords that were used on 23andMe.com were the same as those used on other websites that were previously compromised or otherwise available.’’

Its investigation revealed that attackers were able to access raw genotype data and certain health reports like, health-predisposition reports, wellness reports, and carrier status reports. In addition to these, it’s suspected that hackers may have also accessed a user’s self-reported health condition information and other personal information.

Furthermore, customers availing its DNA Relatives feature may have had their DNA Relatives and Family Tree profile information stolen. The attack also allowed the threat actors to gain access to the following information (if shared via the DNA Relatives feature):

  • Ancestry reports and matching DNA segments (specifically where on your chromosomes you and your relative had matching DNA)
  • Self-reported location (city/zip code)
  • Ancestor birth locations and family names, a weblink to user created family tree, profile picture and birth year
  • Other information included in the profile’s “Introduce yourself” section

After the discovery, 23andMe customers were required to reset their passwords using multi-factor authentication. Both new and existing users were also required to use two-step verification, while accessing their user account.

This incident also led multiple victims to file a class action lawsuit against 23andMe.

Did you like this article? Rate it!
I hated it I don't really like it It was ok Pretty good! Loved it!
0 Voted by 0 users
Title
Comment
Thanks for your feedback
Please wait 5 minutes before posting another comment.
Comment sent for approval.

Leave a Comment

Show more...