23andMe Breach
Lorenzo Franceschi-Bicchierai (Hacker News):
On Friday, genetic testing company 23andMe announced that hackers accessed the personal data of 0.1% of customers, or about 14,000 individuals. The company also said that by accessing those accounts, hackers were also able to access “a significant number of files containing profile information about other users’ ancestry.” But 23andMe would not say how many “other users” were impacted by the breach that the company initially disclosed in early October.
As it turns out, there were a lot of “other users” who were victims of this data breach: 6.9 million affected individuals in total.
With the breached accounts at their disposal, the attacker used 23andMe’s opt-in DNA Relatives (DNAR) feature—which matches users with their genetic relatives—to access information about millions of other users. According to a spokesperson the DNAR profiles of roughly 5.5 million customers could be accessed in this way, plus the Family Tree profile information of 1.4 million additional DNA Relative participants.
The 5.5 million DNAR Profiles contained sensitive details including self-reported information like display names and locations, as well as shared DNA percentages for DNA Relatives matches, family names, predicted relationships, and ancestry reports.
For a subset of these accounts, the stolen data might contain health-related information based upon the user’s genetics.
In response to the cyberattack, rather than implementing robust security measures, 23andMe has opted for a legal shield, mandating binding arbitration for disputes.
Give your family and friends the gift of not subjecting their genetics to businesses with a data breach record of, as of writing and I cannot stress this enough, half their customer base.
[…]
If you are a user, there are specific steps you need to follow this month to opt out of binding arbitration.
Every few years, I write an article about how it is generally not a good idea to voluntarily give your immutable genetic code to a for-profit company (or any other genetic database, for that matter), and how it is an even worse deal to pay money to do so. It is also not wise or ethical to gift a 23andMe Saliva Collection Kit to your loved ones for Christmas, their birthday, or any other reason.
Update (2023-12-19): Bill Toulas (via Hacker News):
“Rather, the preliminary results of this investigation suggest that the login credentials used in these access attempts may have been gathered by a threat actor from data leaked during incidents involving other online platforms where users have recycled login credentials.”
Breach didn’t involve any disclosure of genetic data that wasn’t authorized to the accounts that were logged in? This wasn’t someone stealing DNA samples…
Update (2024-01-04): Lorenzo Franceschi-Bicchierai (via Hacker News):
Facing more than 30 lawsuits from victims of its massive data breach, 23andMe is now deflecting the blame to the victims themselves in an attempt to absolve itself from any responsibility, according to a letter sent to a group of victims seen by TechCrunch.
[…]
In other words, by hacking into only 14,000 customers’ accounts, the hackers subsequently scraped personal data of another 6.9 million customers whose accounts were not directly hacked.
But in a letter sent to a group of hundreds of 23andMe users who are now suing the company, 23andMe said that “users negligently recycled and failed to update their passwords following these past security incidents, which are unrelated to 23andMe.”
“Therefore, the incident was not a result of 23andMe’s alleged failure to maintain reasonable security measures,” the letter reads.
Update (2024-02-01): Rolfe Winkler (via Hacker News):
23andMe’s valuation has crashed 98% from its peak and Nasdaq has threatened to delist its sub-$1 stock. Wojcicki reduced staff by a quarter last year through three rounds of layoffs and a subsidiary sale. The company has never made a profit and is burning cash so quickly it could run out by 2025.
[…]
But with 23andMe’s stock trading at just 74 cents, the company likely can’t raise money by selling more shares. And the company’s early-stage drug programs are so expensive, she has sought investor partners for some of them, so far unsuccessfully, and given up stakes in others.
[…]
At the center of 23andMe’s DNA-testing business are two fundamental challenges. Customers only need to take the test once, and few test-takers get life-altering health results.
Wojcicki’s most ambitious bet is developing drugs using 23andMe’s stockpile of more than 10 million DNA samples that test-takers have agreed may be used for research. But getting new drugs to market is expensive and takes years.
[…]
To create a recurring revenue stream from the tests, Wojcicki has pivoted to subscriptions. As media companies launched streaming “+” channels, Wojcicki rolled out 23andMe+, offering personalized health reports, lifestyle advice and unspecified “new reports and features as discoveries are made” for an initial $229, with annual renewals of $69.
I was a heavy believer of 23andMe until this point. I answered all of the available research questions, which was a thing that took absolutely hours and was filled with semi-invasive medical questions. I did this under the premise that I would hopefully be helping research and I felt really rewarded having completed all of them. Then, they dropped the + bombshell and I felt really rugpulled. I paid them for genotyping on their v4 and v5 platforms -- so I paid twice, I referred friends, I bought people kits, I helped research...and now I was being asked to pay a subscription for what I was promised to begin with? Eesh.
It happened right after the hack, but there’s also a new crop of competitors that let you upload your raw 23andMe data, so there’s speculation that it’s trying to stop the outflow.
If you email them about it, you just basically get a copy-pasta reply restating the message on the site [“As an added security measure, we have temporarily disabled the ability to download your raw genetic data.”], and if you keep emailing them 3+ times asking for a refund (ask me how I know), they’ll tell you you can manually upload identity verification and they’ll get back to you in 6-8 weeks with the data.
