23andMe Claims It Wasn’t Breached Despite Stolen Data

The genetic testing company notes that hackers gained access to accounts through credential stuffing.

Arguably one of the worst possible companies to lose user data has confirmed just that, with 23andMe admitting that it was targeted by hackers.

23andMe houses some of the most sensitive user data on the internet. As a DNA testing company, you’ll find more than just email addresses and phone numbers; this company stores data concerning your genetic information, which goes much deeper than your online credentials.

Now, with stolen user data confirmed by 23andMe, the company is insisting it wasn’t breached. So how did the hackers get all that info?

23andMe User Data Stolen

Reported by Wired and confirmed by 23andMe, the DNA testing company did, in fact, have user data stolen from the platform.

Even worse, the data is currently posted for sale on BreachForum, with the hacker in question asking for between $1 and $10 per account.

Even worse than that, the data specifically targets Ashkenazi Jews, with over 1 million data points relating to those specific individuals. There was also data from hundreds of thousands of users from Chinese descent found in the sample data provided by the hackers.

Surfshark logo🔎 Want to browse the web privately? 🌎 Or appear as if you're in another country?
Get a huge 86% off Surfshark with this special tech.co offer.See deal button

How Did 23andMe User Data Get Stolen?

While user data was stolen, 23andMe categorically denies that an actual data breach took place. So how exactly did all that user data get stolen?

Well, according to 23andMe, the hackers in question were able to guess the login credentials of users to gain access to their accounts. Then, the hackers used the DNA Relatives feature, which users can opt into for the purpose of sharing more data with friends and family, to acquire even more information about other users.

“We were made aware that certain 23andMe customer profile information was compiled through access to individual 23andMe.com accounts. We believe that the threat actor may have then, in violation of our terms of service, accessed 23andme.com accounts without authorization and obtained information from those accounts.” – 23andMe spokesperson

The process the hackers used to gain access to these accounts is called “credential stuffing,” a strategy in which data leaked from other breaches is used to gain access to other platforms.

How to Protect Yourself Online

The only reason strategies like credential stuffing works when it comes to stolen user data is because people reuse passwords so often. 23andMe reiterated in their statement that using unique, complicated passwords for your account and enabling features like two-factor authentication would stop this kind of threat in its tracks.

Considering the average person has more than 100 passwords to keep track of, though, it’s safe to assume that kind of protection is hard to come by. Fortunately, password managers can help you manage this kind of security, coming up with complicated passwords and remembering them for you.

If you want to learn more about how to protect yourself online, feel free to check out our online safety guide to see how you can avoid having your data stolen.

Did you find this article helpful? Click on one of the following buttons
We're so happy you liked! Get more delivered to your inbox just like it.

We're sorry this article didn't help you today – we welcome feedback, so if there's any way you feel we could improve our content, please email us at contact@tech.co

Written by:
Conor is the Lead Writer for Tech.co. For the last six years, he’s covered everything from tech news and product reviews to digital marketing trends and business tech innovations. He's written guest posts for the likes of Forbes, Chase, WeWork, and many others, covering tech trends, business resources, and everything in between. He's also participated in events for SXSW, Tech in Motion, and General Assembly, to name a few. He also cannot pronounce the word "colloquially" correctly. You can email Conor at conor@tech.co.
Explore More See all news
Back to top
close Thinking about your online privacy? NordVPN is Tech.co's top-rated VPN service See Deals