Arguably one of the worst possible companies to lose user data has confirmed just that, with 23andMe admitting that it was targeted by hackers.
23andMe houses some of the most sensitive user data on the internet. As a DNA testing company, you'll find more than just email addresses and phone numbers; this company stores data concerning your genetic information, which goes much deeper than your online credentials.
Now, with stolen user data confirmed by 23andMe, the company is insisting it wasn't breached. So how did the hackers get all that info?
23andMe User Data Stolen
Reported by Wired and confirmed by 23andMe, the DNA testing company did, in fact, have user data stolen from the platform.
Even worse, the data is currently posted for sale on BreachForum, with the hacker in question asking for between $1 and $10 per account.
Even worse than that, the data specifically targets Ashkenazi Jews, with over 1 million data points relating to those specific individuals. There was also data from hundreds of thousands of users from Chinese descent found in the sample data provided by the hackers.
🔎 Want to browse the web privately? 🌎 Or appear as if you're in another country?
Get a huge 86% off Surfshark with this Tech.co Black Friday offer.
How Did 23andMe User Data Get Stolen?
While user data was stolen, 23andMe categorically denies that an actual data breach took place. So how exactly did all that user data get stolen?
Well, according to 23andMe, the hackers in question were able to guess the login credentials of users to gain access to their accounts. Then, the hackers used the DNA Relatives feature, which users can opt into for the purpose of sharing more data with friends and family, to acquire even more information about other users.
“We were made aware that certain 23andMe customer profile information was compiled through access to individual 23andMe.com accounts. We believe that the threat actor may have then, in violation of our terms of service, accessed 23andme.com accounts without authorization and obtained information from those accounts.” – 23andMe spokesperson
The process the hackers used to gain access to these accounts is called “credential stuffing,” a strategy in which data leaked from other breaches is used to gain access to other platforms.
How to Protect Yourself Online
The only reason strategies like credential stuffing works when it comes to stolen user data is because people reuse passwords so often. 23andMe reiterated in their statement that using unique, complicated passwords for your account and enabling features like two-factor authentication would stop this kind of threat in its tracks.
Considering the average person has more than 100 passwords to keep track of, though, it's safe to assume that kind of protection is hard to come by. Fortunately, password managers can help you manage this kind of security, coming up with complicated passwords and remembering them for you.
If you want to learn more about how to protect yourself online, feel free to check out our online safety guide to see how you can avoid having your data stolen.