23andMe Scraping Incident Leaked Data On 1.3 Million Users (therecord.media) 25
Jonathan Greig writes via The Record: Genetic testing giant 23andMe confirmed that a data scraping incident resulted in hackers gaining access to sensitive user information and selling it on the dark web. The information of nearly 7 million 23andMe users was offered for sale on a cybercriminal forum this week. The information included origin estimation, phenotype, health information, photos, identification data and more. 23andMe processes saliva samples submitted by customers to determine their ancestry.
When asked about the post, the company initially denied that the information was legitimate, calling it a "misleading claim" in a statement to Recorded Future News. The company later said it was aware that certain 23andMe customer profile information was compiled through unauthorized access to individual accounts that were signed up for the DNA Relative feature -- which allows users to opt in for the company to show them potential matches for relatives. [...] When pressed on how compromising a handful of user accounts would give someone access to millions of users, the spokesperson said the company does not believe the threat actor had access to all of the accounts but rather gained unauthorized entry to a much smaller number of 23andMe accounts and scraped data from their DNA Relative matches.
A researcher approached Recorded Future News after examining the leaked database and found that much of it looked real. [...] The researcher downloaded two files from the BreachForums post and found that one had information on 1 million 23andMe users of Ashkenazi heritage. The other file included data on more than 300,000 users of Chinese heritage. The data included profile and account ID numbers, names, gender, birth year, maternal and paternal genetic markers, ancestral heritage results, and data on whether or not each user has opted into 23andme's health data. The researcher added that he discovered another issue where someone could enter a 23andme profile ID, like the ones included in the leaked data set, into their URL and see someone's profile. The data available through this only includes profile photos, names, birth years and location but does not include test results.
When asked about the post, the company initially denied that the information was legitimate, calling it a "misleading claim" in a statement to Recorded Future News. The company later said it was aware that certain 23andMe customer profile information was compiled through unauthorized access to individual accounts that were signed up for the DNA Relative feature -- which allows users to opt in for the company to show them potential matches for relatives. [...] When pressed on how compromising a handful of user accounts would give someone access to millions of users, the spokesperson said the company does not believe the threat actor had access to all of the accounts but rather gained unauthorized entry to a much smaller number of 23andMe accounts and scraped data from their DNA Relative matches.
A researcher approached Recorded Future News after examining the leaked database and found that much of it looked real. [...] The researcher downloaded two files from the BreachForums post and found that one had information on 1 million 23andMe users of Ashkenazi heritage. The other file included data on more than 300,000 users of Chinese heritage. The data included profile and account ID numbers, names, gender, birth year, maternal and paternal genetic markers, ancestral heritage results, and data on whether or not each user has opted into 23andme's health data. The researcher added that he discovered another issue where someone could enter a 23andme profile ID, like the ones included in the leaked data set, into their URL and see someone's profile. The data available through this only includes profile photos, names, birth years and location but does not include test results.
Why would anybody send 23andme their DNA? (Score:5, Insightful)
"Hey! I'm gonna ask this US company to analyze my DNA! It's totally safe because companies today are not at all known for violating people's privacy and monetizing people's data - and it's not like DNA is your most intimate dataset - and US companies specifically are not at all known for collaborating with overreaching law enforcement and barely constitutional state agencies."
Why anybody with any sense of self-preservation would send their DNA to be analyzed by a private US for-profit is totally beyond me.
Re: (Score:3)
I'm told you can use a German service anonymously if you have health concerns.
But they could have 'bugs' that let DIA downlosd your data too, dunno.
Re: (Score:1)
Why anybody with any sense of self-preservation would send their DNA to be analyzed by a private US for-profit is totally beyond me.
I agree. Unfortunately, my twin brother decided it would be a good idea, and without even consulting with me or anyone else in our family, submitted "his" DNA. So now I'm essentially in their database, despite never having done anything to put myself in their database.
Re: Why would anybody send 23andme their DNA? (Score:5, Insightful)
I'm very glad that you're better.
But the takeaway from your story is the utter failure of the healthcare system that had you turn to the undesirable option of sending your DNA to 23andme to solve your problem - something you would never have done if the healthcare system hadn't failed you so badly.
Re: (Score:2)
FWIW, gluten is not tasty. Gluten is a flavorless protein. But you'll need to build your own recipes to replace it in your favorite foods. (I CAN eat gluten, just not starch or sugar.) The thing is, the recipes are possible. Exactly what they are depends on what you like, and your needs are different from mine, so I can't guide you. But I guarantee that they ARE there. They may take a bit of experimentation to get right. E.g. gelatin and collagen act very differently in recipes, even though they're
Re: (Score:2)
I for one never used them for that very reason.
And how many companies have my data in other ways...
Can we have a law that any system built which holds personal data, must give a login to the person, so each person can see what data is there about them ?
Re: (Score:2)
What bad thing will happen to me if my DNA info is leaked?
What actual harm will occur?
Re: (Score:2)
Discrimination. Maybe your employer hates Jews and will fire you if they discover you are one, or even 10% Jewish by DNA.
They are selling this data for thousands of dollars, sold in batches ordered by race. Clearly there is high demand for it.
Re: (Score:2)
Gee I wonder why anyone would want a list of a million jews...
Re:Why would anybody send 23andme their DNA? (Score:4, Insightful)
What bad thing will happen to me if my DNA info is leaked?
What actual harm will occur?
Company provided group health insurance rates are based in part on that company's claims history. It could be a money-saver to eliminate employees known to have genetic disease tendencies such as BRCA gene anomalies.
Also, the company would not want to promote high risk people into positions of greater responsibility.
Stuff like that.
Re: (Score:2)
But my DNA shows I don't have any genetic diseases, so my insurance rates should go down.
Re: (Score:2)
Sorry, but your claim is impossible. We don't know enough to know that "my DNA shows I don't have any genetic diseases". Only that you don't have certain causes of certain diseases.
That's still a reason for your insurance rates to go down, but somehow I think your suggestion that that would happen was intended as humor.
Re: (Score:1)
What bad thing will happen to me if my DNA info is leaked?
What actual harm will occur?
Doctors are not infallible.
We share 60% of our DNA with bananas.
Insurance Companies... (Score:5, Interesting)
Re: (Score:2)
...are going to love that data
In many countries, including America, it is illegal to use DNA data for denying or setting rates of health insurance.
Re: Insurance Companies... (Score:2)
Re: (Score:2)
...are going to love that data
In many countries, including America, it is currently illegal to use DNA data for denying or setting rates of health insurance.
Fixed that for you.
just one question.. (Score:2)
all i want to know is if 23andMe takes their customer’s privacy seriously.