source- FOX 5 New York
Genetic Testing Giant Confirms Massive Security Compromise
A staggering breach has rattled the foundations of 23andMe, the renowned genetic testing company, as it confirms unauthorized access to nearly seven million user profiles. A spokesperson disclosed to CNN on Tuesday that the breach encompassed sensitive details such as ancestry reports, zip codes, and birth years, significantly impacting a subset of the company’s extensive user base.
The Scale of the Breach
The unsettling revelation came to light through a filing to the Securities and Exchange Commission (SEC) on Friday, where 23andMe indicated that approximately 0.1% of its user accounts, approximately 14,000 profiles, fell victim to the cyber intrusion. However, subsequent investigations unveiled a more substantial impact, with hackers infiltrating around 5.5 million profiles employing the company’s DNA Relatives feature.
Extent of Compromised Information
Notably, hackers also managed to access a subset of family tree data linked to 1.4 million DNA Relatives profiles, raising concerns about the depth and breadth of compromised personal information. Engadget, a prominent tech news outlet, initially shed light on the broader implications of this extensive security breach.
Ongoing Cybersecurity Woes
This incident adds 23andMe to the roster of major U.S. corporations grappling with severe cybersecurity breaches affecting a larger populace than initially acknowledged. Just recently, Okta, an identity management firm, acknowledged a data breach impacting all users within its customer support system, a figure significantly higher than initially reported.
Modus Operandi: Credential Stuffing
The method of intrusion employed by the hackers has been identified as ‘credential stuffing.’ Leveraging old usernames and passwords obtained from other platforms, this rudimentary yet effective technique facilitated unauthorized access to numerous 23andMe customer accounts.
Company’s Response and Measures Taken
In response to the breach, 23andMe embarked on a comprehensive investigation aided by third-party forensic experts. Despite declining to disclose the perpetrators, the company is diligently notifying affected customers, complying with legal obligations.
A statement posted on the company’s website outlined measures to bolster data protection, mandating password resets for existing customers and implementing two-step verification for both new and existing users.
As concerns over data security and privacy amplify, this breach underscores the pressing need for stringent measures to safeguard sensitive personal information in an increasingly digitized world.
The ramifications of such a breach extend far beyond the compromised data itself. Users are now grappling with potential identity theft, privacy infringement, and the misuse of their genetic information. This breach has reignited conversations about the ethical responsibilities of companies dealing with highly personal data and the imperative to fortify cybersecurity protocols.
In the wake of this breach, regulatory bodies and lawmakers are likely to intensify their scrutiny of companies handling sensitive user data, potentially leading to stricter compliance standards and regulations aimed at fortifying cybersecurity measures and protecting consumer privacy.
As 23andMe continues its damage control and endeavors to rebuild trust, the cybersecurity landscape faces renewed challenges, emphasizing the criticality of proactive measures to thwart malicious cyber threats and safeguard user information from similar breaches in the future.