DNAR Profiles contain sensitive details including self-reported information like display names and locations, as well as shared DNA percentages for DNA Relatives matches, family names, predicted relationships and ancestry reports. Family Tree profiles contain display names and relationship labels, plus other information that a user may choose to add, including birth year and location. When the breach was first revealed in October, the company said its investigation “found that no genetic testing results have been leaked.”

According to the new filing, the data “generally included ancestry information, and, for a subset of those accounts, health-related information based upon the user’s genetics.” All of this was obtained through a credential-stuffing attack, in which hackers used login information from other, previously compromised websites to access those users’ accounts on other sites. In doing this, the filing says, “the threat actor also accessed a significant number of files containing profile information about other users’ ancestry that such users chose to share when opting in to 23andMe’s DNA Relatives feature and posted certain information online.”

Following the discovery of the breach, 23andMe instructed affected users to change their passwords and later rolled out two-factor authentication for all of its customers. In another update on Friday, 23andMe said it had completed the investigation and is notifying everyone who was affected. The company also wrote in the filing that it “believes that the threat actor activity is contained,” and is working to have the publicly-posted information taken down.

Update, December 2 2023, 7:03PM ET: This story has been updated to include information provided by a 23andMe spokesperson on the scope of the breach and the number of DNA Relative participants affected.

The post 23andMe hackers accessed ancestry information on millions of customers using a feature that matches relatives appeared first on Best News.

A credential-stuffing attack involves user information that has already been compromised (usernames and passwords, for example) from one organization, which a hacker obtains and attempts to reuse with a second organization — in this case, 23andMe. Because of the nature of credential-stuffing, it does not appear this was a breach of the company’s internal systems. Rather, accounts were broken into piecemeal. The perpetrators of this attack appear to have obtained quite sensitive information from the compromised accounts (photos, full names and geographical location, among other things). “Thus far, our investigation has found that no genetic testing results have been leaked,” a 23andMe spokesperson said in an email. In an official public statement, the company said that after becoming aware of suspicious activity, it immediately began an investigation.

The initial leak comprised “1 million lines of data for Ashkenazi people,” according to BleepingComputer. By October 4, data was being offered for sale in bulk, in increments of 100, 1,000, 10,000 or 100,000 profiles. The scale of the attack is as yet unknown, but the scope of its impact has likely been exacerbated by 23andMe’s ‘DNA Relatives’ feature. “Relatives are identified by comparing your DNA with the DNA of other 23andMe members who are participating in the DNA Relatives feature,” the company states. After accessing an unknown number of profiles via credential-stuffing, the threat actor behind this breach apparently scraped the ‘DNA Relatives’ results for those profiles, netting much more sensitive data. According to the same FAQ page, “The number of relatives listed [..] grows over time as more people join 23andMe.” For the fiscal year 2023, the company reported it “genotyped” around 14 million customers.

Ever since 23andMe went public in 2021, the company has faced extra scrutiny for its data protection practices — rightly so, since it deals with sensitive medical data derived from saliva sampling, including predispositions for diseases like Alzheimer’s, Type 2 diabetes and even cancer. On its website, the company claims it “exceeds” data protection standards for its industry.Update, October 7 2023, 3:15 PM ET: This story has been updated to correct a statement about the type of sensitive information that was compromised in the leak. The company said that so far, no genetic testing results have been leaked.

This article contains affiliate links; if you click such a link and make a purchase, we may earn a commission.

The post 23andMe user data breached in credential-stuffing attack appeared first on Best News.

The data breach was allegedly executed using compromised customer usernames and passwords, which exposed sensitive personal information that included things relevant to ancestry trees, birthdays and general geographic locations. In some cases, the company said that the hack could have exposed the pictures and display names of affiliated family members also using the company’s services through the accounts that were primarily breached. 23andMe insists that no actual genetic material or DNA records were exposed.

Legally, 23AndMe is obligated to inform all impacted customers and in October, 23andMe asked all of its users to reset their passwords. Last month, the company said it has required all new and existing users to login into the 23andMe website using two-step verification and that will remain the standard going forward. The emphasis on account security comes after the completion of an internal investigation, which 23andMe says was conducted with the help of third-party forensics experts but it has yet to release a report detailing their findings. The company did, however, say it expects to incur at least $1 to $2 million in expenses related to the hack.

23andMe does more than give customers reports about their family trees: It offers genetic health risk tests for chronic diseases and cancers, and it also has a research arm where customers can opt into clinical research programs. Questions about how 23andMe handles data privacy and protects its digital assets could impact the company’s bottom line and if customers shy away from using the services that involve more sensitive medical information.

This article contains affiliate links; if you click such a link and make a purchase, we may earn a commission.

The post 23andMe hack now estimated to affect over half of customers appeared first on Best News.

In an email sent to customers earlier this week viewed by Engadget, the company announced that it had made updates to the “Dispute Resolution and Arbitration section” of its terms “to include procedures that will encourage a prompt resolution of any disputes and to streamline arbitration proceedings where multiple similar claims are filed.” Clicking through leads customers to the newest version of the company’s terms of service that essentially disallow customers from filing class action lawsuits, something that more people are likely to do now that the scale of the hack is clearer.

“To the fullest extent allowed by applicable law, you and we agree that each party may bring disputes against the other party only in an individual capacity and not as a class action or collective action or class arbitration,” the updated terms say. Notably, 23andMe will automatically opt customers into the new terms unless they specifically inform the company that they disagree by sending an email within 30 days of receiving the firm’s notice. Unless they do that, they “will be deemed to have agreed to the new terms,” the company’s email tells customers.

23andMe did not respond to a request for comment from Engadget.

In October, the San Francisco-based genetic testing company headed by Anne Wojcicki announced that hackers had accessed sensitive user information including photos, full names, geographical location, information related to ancestry trees, and even names of related family members. The company said that no genetic material or DNA records were exposed. Days after that attack, the hackers put up profiles of hundreds of thousands of Ashkenazi Jews and Chinese people for sale on the internet. But until last week, it wasn’t clear how many people were impacted.

In a filing with the Securities and Exchange Commission, 23andMe said that “multiple class action claims” have already been against the company in both federal and state court in California and state court in Illinois, as well as in Canadian courts.

Forbidding people from filing class action lawsuit, as Axios notes, hides information about the proceedings from the public since affected parties typically attempt to resolve disputes with arbitrators in private. Experts, such as Chicago-Kent College of Law professor Nancy Kim, an online contractor expert, told Axios that changing its terms wouldn’t be enough to protect 23andMe in court.

The company’s new terms are sparking outrage online. “Wow they first screw up and then they try to screw their users by being shady,” a user who goes by Daniel Arroyo posted on X. “Seems like they’re really trying to cover their asses,” wrote another user called Paul Duke, “and head off lawsuits after announcing hackers got personal data about customers.”

The post 23andMe frantically changed its terms of service to prevent hacked customers from suing appeared first on Best News.

23andMe's filing contains the letters it sent customers who were affected by the incident. In the letters, the company explained that the attackers used a technique called credential stuffing, which entailed using previously compromised login credentials to access customer accounts through its website. The company didn't notice anything wrong until after a user posted a sample of the stolen data on the 23andMe subreddit in October. As TechCrunch notes, hackers had already advertised that stolen data on a hacker forum a few months before that in August, but 23andMe didn't catch wind of that post. The stolen information included customer names, birth dates, ancestry and health-related data.

23andMe advised affected users to change their passwords after disclosing the data breach. But before sending out letters to customers, the company changed the language in its terms of service that reportedly made it harder for people affected by the incident to join forces and legally go after the company.

The post 23andMe's data hack went unnoticed for months appeared first on Best News.

The lawsuit was filed in federal court in San Francisco after the company revealed that the hack had gone unnoticed for months. Apparently, the hackers started accessing customers' accounts using login details already leaked on the web in late April 2023 and continued with their activities until September. It wasn't until October that the company finally found out about the hacks. On October 1, hackers leaked the names, home addresses and birth dates of 1 million users with Ashkenazi Jewish ancestry on black hat hacking forum BreachForums.

After someone responded to the post asking access to "Chinese accounts," the lawsuit said the poster linked to a file containing information on 100,000 Chinese users. The poster also said they had access to 350,000 Chinese profiles and could release more information if there was enough interest. In addition, the same poster allegedly returned to the forum in mid-October to sell data on "wealthy families serving Zionism" after the explosion at Al-Ahli Arab Hospital in Gaza.

"The current geopolitical and social climate amplifies the risks" to users whose data was exposed, according to the lawsuit, since the leaked information included their names and addresses. The plaintiffs want their case to be heard by a jury and are seeking compensatory, punitive and other damages.

The post Lawsuit says 23andMe hackers targeted users with Chinese and Ashkenazi Jewish heritage appeared first on Best News.