This is a story I’ve been keeping my eye on for a few weeks now, but held off writing anything until the full picture emerged.
Threat actors compromised the 23andMe network back in October this year. At the time of the breach, the company said that attackers had infiltrated some of its users’ accounts and piggybacked off this access to scrape personal data from a larger subset of users through the company’s opt-in, social sharing service known as DNA Relatives.
The company didn’t indicate exactly how many users had been impacted in the breach, but hackers had already begun selling data on criminal forums that seemed to be taken from at least a million 23andMe users, if not more.
On Friday, the company said in a SEC regulatory filing update that the personal data of 0.1% of customers (approx. 14,000 people) had been accessed by threat actors, but warned that hackers were also able to access “a significant number of files containing profile information about other users’ ancestry”.
The true number of people exposed to the attackers due to the DNA Relatives option was 6.9 million – just less than 50% of 23andMe’s 14 million reported customers.
The company also acknowledged that another group of about 1.4 million people who had opted in to 23andMe’s DNA relatives feature also “had their family tree profile information accessed”. This information includes names, relationship labels, birth year, self-reported location and other data.
Leaked data
Samples of stolen data from 23andMe accounts were exposed on BreachForums, shortly after the breach was announced. The hackers claimed the samples contained 1m data points exclusively about Ashkenazi Jews. The leak also included data relating to thousands of users of Chinese heritage..
Hackers then began selling 23andMe profiles for amounts ranging between $1 and $10 per account, with information revealed that included some details about genetic ancestry results, like “broadly European” or “broadly Arabian”.
In November the hackers released user information containing records of a further 4 million users and claimed the information included people from the UK with some of the “the wealthiest people living in the US and western Europe on this list”.
Who are 23andMe?
23andMe is a website which offers DNA testing so people can identify their ancestral roots. The company was formed in 2006 and has offered DNA testing services since 2007.
Customers order a saliva testing kit online and send the samples back to the 23andMe laboratories for analysis.
After a sample is received by the lab, the DNA is extracted from the saliva and amplified so that there is enough to be genotyped. The DNA is then cut into small pieces, and applied to a glass microarray chip, which has many microscopic beads applied to its surface. Each bead has a gene probe on it that matches the DNA of one of the many variants the company test for. If the sample has a match in the microarray, the sequences will hybridize, or bind together, letting researchers know that this variant is present in the customer’s genome by a fluorescent label located on the probes. Tens of thousands of variants are tested out of the 10 to 30 million located in the entire genome. These matches are then compiled into a report that is supplied to the customer, allowing them to know if the variants associated with certain diseases, such as Parkinson’s, celiac and Alzheimer’s, are present in their own genome
Over the years, the company has received many millions of dollars of investment from the likes of Google, GlaxoSmithKline, Genentech, and others.
In February 2021, the company announced that it had entered into a definitive agreement to merge with Sir Richard Branson’s special-purpose acquisition company, VG Acquisition Corp, in a $3.5 billion transaction. Later that year, the new company 23andMe Holding Co. floated on the Nasdaq.
