23andMe data leak

The 23andMe data leak was a data breach at personal genomics company 23andMe reported in October 2023. The cyberattack gathered profile and ethnicity information from millions of users. The affected customers were reported as primarily Ashkenazi Jews but also including hundreds of thousands of ethnically Chinese users. The hacker(s) stole information customers had chosen to share with their DNA matches, which could include name, profile photo, birth year, location, family surnames, grandparents' birthplaces, ethnicity estimates, mitochondrial DNA haplogroup, Y-chromosome DNA haplogroup, link to external family tree, and any text content a customer had optionally included in their "About" section. On October 6, 2023, the company confirmed that the hacker(s) had illicitly accessed data on approximately 6.9 million users.

Background
In October 2023, Wired reported that a sample of data points from 23andMe accounts were exposed on BreachForums, a black-hat hacking crime forum.

23andMe confirmed to TechCrunch that because of an opt-in feature that allows DNA-related relatives to contact each other, the true number of people exposed was 6.9 million, nearly half of 23andMe’s 14 million reported customers.

One batch of data was advertised on a hacking forum as a list of Ashkenazi Jews, and another as list of people of Chinese descent, sparking concerns about targeted attacks.

Attack
In October 2023, a hacker known as Golem claimed to have hijacked the profile information of millions of users from 23andMe. The attack, acknowledged by the company, was a result of hacking techniques including 'credential stuffing' to gain unauthorised access to the profile information of millions of users. The compromised data included personal information on user profiles, raising concerns about privacy.

Response
In October 2023, some impacted users filed a class action lawsuit in California alleging "Negligence, Breach of Implied Contract, Invasion of Privacy and Unjust Enrichment." That same month, a 23andMe spokesperson told TechCrunch that the company was “reviewing the data to determine if it is legitimate.” 23andMe "temporarily disabled some features within the DNA Relatives tool," preventing customers from seeing the chromosome browser or shared DNA matches. 23andMe disabled the ability for users to download their raw data. In December 2023, 23andMe updated its terms of service to prevent class action lawsuits.

The company ordered a thorough investigation, through which it confirmed that the data was stolen via a credential stuffing attack. The investigation also revealed that there is no evidence of a cyber security incident on the company's IT systems. Those who had their data stolen had opted in to the ‘DNA relatives’ feature, which allowed the malicious actor(s) to scrape their data from their profiles.

The breach prompted legal scrutiny, with Connecticut's attorney general pressing 23andMe for answers. He asserted that the breach resulted in the targeted exfiltration and sale of at least one million data profiles on the black market.

In this same timeframe, 23andMe began requiring two-factor authentication, along with Ancestry.com and MyHeritage out of security concerns following the breach.