23andMe: Hackers Accessed Data of 6.9M

Facts

• Genetic testing company 23andMe concluded an investigation into an October hack on Tuesday, confirming that cybercriminals gained access to the data of 6.9M people.¹
• The company said hackers accessed the accounts of 0.1% of customers, or around 14K. But by accessing that data, the hackers were able to gain access to 'a significant number of files containing profile information about other users’ ancestry.'²
• The company confirmed hackers accessed 5.5M users who opted into 23andMe's DNA Relatives feature, which allows customers to automatically share their information with those with common DNA, while 1.4M other users had their family tree information accessed.³
• The stolen data included usernames, birth years, locations, pictures, addresses, and the percentage of DNA shared with relatives. There’s no evidence that any of the data has been purchased or used by criminals.⁴
• Hackers gained access by using the email and password details that were the same on other unrelated websites previously hacked. CEO of risk management platform CybSafe, Oz Alashe, said the breach 'emphasizes the importance of improving cyber-security behaviors in the general population' and the importance of strong passwords and two-factor authentication.⁴
• The company doesn't expect a major financial fallout from the incident but expects to incur $1M to $2M in costs related to the breach.⁵

Sources: ¹CTV News, ²TechCrunch, ³USA Today, ⁴BBC News and ⁵Time.

Narratives

• Narrative A, as provided by TechCrunch. While it’s unfortunate that this user data was accessed, the company isn’t totally at fault. Users must learn to create stronger, unique passwords for all sites they use. And 23andMe will now require two-factor authentication to prevent future illegal access by bad actors.
• Narrative B, as provided by Futurism. Nothing is 100% safe on the internet, even when a company like 23andMe takes the necessary steps to prevent breaches. Cybercriminals are able to access data from other hacks and then use it to access other sites. That’s why it’s important to consider whether it’s worth trusting a private company with something as valuable as your DNA.