header banner
Default

Slashdot: Data on 13 million users was exposed due to a 23andMe scraping incident


Table of Contents

    Jonathan Greig writes via The Record: Genetic testing giant 23andMe confirmed that a data scraping incident resulted in hackers gaining access to sensitive user information and selling it on the dark web. The information of nearly 7 million 23andMe users was offered for sale on a cybercriminal forum this week. The information included origin estimation, phenotype, health information, photos, identification data and more. 23andMe processes saliva samples submitted by customers to determine their ancestry.

    When asked about the post, the company initially denied that the information was legitimate, calling it a "misleading claim" in a statement to Recorded Future News. The company later said it was aware that certain 23andMe customer profile information was compiled through unauthorized access to individual accounts that were signed up for the DNA Relative feature -- which allows users to opt in for the company to show them potential matches for relatives. [...] When pressed on how compromising a handful of user accounts would give someone access to millions of users, the spokesperson said the company does not believe the threat actor had access to all of the accounts but rather gained unauthorized entry to a much smaller number of 23andMe accounts and scraped data from their DNA Relative matches.

    A researcher approached Recorded Future News after examining the leaked database and found that much of it looked real. [...] The researcher downloaded two files from the BreachForums post and found that one had information on 1 million 23andMe users of Ashkenazi heritage. The other file included data on more than 300,000 users of Chinese heritage. The data included profile and account ID numbers, names, gender, birth year, maternal and paternal genetic markers, ancestral heritage results, and data on whether or not each user has opted into 23andme's health data. The researcher added that he discovered another issue where someone could enter a 23andme profile ID, like the ones included in the leaked data set, into their URL and see someone's profile. The data available through this only includes profile photos, names, birth years and location but does not include test results.


    Sources


    Article information

    Author: James Chavez

    Last Updated: 1699660203

    Views: 705

    Rating: 4.3 / 5 (94 voted)

    Reviews: 82% of readers found this page helpful

    Author information

    Name: James Chavez

    Birthday: 2002-02-22

    Address: 937 Brennan Crossroad, North Michael, TX 42774

    Phone: +4026594030206409

    Job: Radiologist

    Hobby: Juggling, Puzzle Solving, Basketball, Tea Brewing, Arduino, Bird Watching, Hiking

    Introduction: My name is James Chavez, I am a exquisite, tenacious, vibrant, Colorful, cherished, accessible, radiant person who loves writing and wants to share my knowledge and understanding with you.