In a new batch of emails, 23andMe is notifying users that their information was exposed to a hacker scraping data from the DNA testing service.
Several users reported receiving the email as the company continues to investigate how a hacker abused 23andMe’s “DNA relatives” feature to collect data from potentially millions of users.
"After further review, we have identified your DNA Relatives profile as one that was impacted in this incident,” the company writes. “Specifically, there was unauthorized access to one or more 23andMe accounts that were connected to you through DNA Relatives.”
The email suggests 23andMe has been uncovering more customer profiles ensnared in the breach. This occurs a week after a mysterious user in a hacking forum named “Golem” allegedly published records on 4 million users. On Oct. 3, a seperate user in the same hacking forum claimed to have stolen data from 7 million users.
23andMe didn’t immediately respond to a request for comment. But last week, the company told PCMag it was reviewing the data Golem allegedly leaked on the hacking forum. “Our investigation is ongoing and if we learn that a customer’s data has been accessed without their authorization, we will notify them directly with more information,” it said at the time.
The breach initially involved a hacker merely breaking into select users accounts. According to 23andMe, the hacker likely bought login credentials that were stolen in another breach and pluggied them into the DNA testing website in the hopes that people used the same password across multiple accounts. (You should stop doing that.)
Normally, such hijackings only affect users who had their accounts breached. But in this case, it looks like the hacker was able to access a wide array of customer-profile data through 23andMe’s DNA Relatives feature, which lets members find and see the profiles of people with whom they share genetic material.
Using the DNA Relatives feature is optional, but those who do create a profile that other members can see, allowing them to view ancestry results, along with photo, birth year, location, ancestors' birth locations and family tree, if provided. 23andMe has since “temporarily disabled some features within the DNA Relatives tool as an additional precaution to protect the privacy of our customers.”
In the meantime, the data scraping has been frustrating users who say they had strong unique passwords for 23andMe, but still had their information stolen. In response, a growing number of consumers have filed class-action lawsuits against the DNA testing company, faulting it for failing to stop the breach and demanding it pay damages.
However, 23andMe previously told PCMag: “We have since notified customers and taken additional security measures, including requiring all accounts to go through a password reset and advising customers to enable multi-factor authentication. We are working with outside forensic experts as part of our ongoing investigation, as well as with federal law enforcement.”
