(NationalUSNews.com) — On Friday, December 1, the popular genetic testing company 23andMe announced that a data breach had allowed hackers access to 0.1% of their user’s data. This would reflect roughly 14,000 individual accounts.
However, due to the opt-in DNA Relatives feature that allows users to see partial profiles of people to whom they may be related, the true number of users whose data has been accessed may be up to 6.9 million. This is the second such breach within the last few months, following the previous announcement regarding an earlier breach on October 6.
While 23andMe may not characterize this as a data breach, some of the affected users are not interested in quibbling. Rather than hacking the main servers of 23andMe, hackers may have used more direct methods of accessing users’ accounts. Known as credential stuffing, a typical way to hack accounts is to use passwords that people have used for other websites, as many people use the same passwords for multiple sites. Buying and selling lists of these collected passwords is a common practice among hackers. Once in possession, they can test them out on any website they are interested in collecting data from. It is a very easy way to get access to protected account information, as they are essentially logging in as if they were the owner of the account.
Katie Watson, a spokesperson for 23andMe, confirmed that hackers gained access to the personal data of users who chose to use 23andMe’s DNA Relatives feature. This data would include the person’s name, age, any relationship labels they might have listed, and the percentage of DNA shared with relatives, as well as ancestry reports and self-reported location.
The proposed class-action lawsuit against 23andMe, which was filed with the B.C. Supreme Court, states that this personal data was offered for sale by cybercriminals on the dark web. The lawsuit is a joint venture between KND Complex Litigation in Toronto and the YLaw Group out of Vancouver.
Copyright 2023, NationalUSNews.com