Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Privacy Security

23andMe Scraping Incident Leaked Data On 1.3 Million Users (therecord.media) 25

Jonathan Greig writes via The Record: Genetic testing giant 23andMe confirmed that a data scraping incident resulted in hackers gaining access to sensitive user information and selling it on the dark web. The information of nearly 7 million 23andMe users was offered for sale on a cybercriminal forum this week. The information included origin estimation, phenotype, health information, photos, identification data and more. 23andMe processes saliva samples submitted by customers to determine their ancestry.

When asked about the post, the company initially denied that the information was legitimate, calling it a "misleading claim" in a statement to Recorded Future News. The company later said it was aware that certain 23andMe customer profile information was compiled through unauthorized access to individual accounts that were signed up for the DNA Relative feature -- which allows users to opt in for the company to show them potential matches for relatives. [...] When pressed on how compromising a handful of user accounts would give someone access to millions of users, the spokesperson said the company does not believe the threat actor had access to all of the accounts but rather gained unauthorized entry to a much smaller number of 23andMe accounts and scraped data from their DNA Relative matches.

A researcher approached Recorded Future News after examining the leaked database and found that much of it looked real. [...] The researcher downloaded two files from the BreachForums post and found that one had information on 1 million 23andMe users of Ashkenazi heritage. The other file included data on more than 300,000 users of Chinese heritage. The data included profile and account ID numbers, names, gender, birth year, maternal and paternal genetic markers, ancestral heritage results, and data on whether or not each user has opted into 23andme's health data. The researcher added that he discovered another issue where someone could enter a 23andme profile ID, like the ones included in the leaked data set, into their URL and see someone's profile. The data available through this only includes profile photos, names, birth years and location but does not include test results.

This discussion has been archived. No new comments can be posted.

23andMe Scraping Incident Leaked Data On 1.3 Million Users

Comments Filter:
  • by Rosco P. Coltrane ( 209368 ) on Friday October 06, 2023 @08:08PM (#63907413)

    "Hey! I'm gonna ask this US company to analyze my DNA! It's totally safe because companies today are not at all known for violating people's privacy and monetizing people's data - and it's not like DNA is your most intimate dataset - and US companies specifically are not at all known for collaborating with overreaching law enforcement and barely constitutional state agencies."

    Why anybody with any sense of self-preservation would send their DNA to be analyzed by a private US for-profit is totally beyond me.

    • I'm told you can use a German service anonymously if you have health concerns.

      But they could have 'bugs' that let DIA downlosd your data too, dunno.

      • by Anonymous Coward

        Why anybody with any sense of self-preservation would send their DNA to be analyzed by a private US for-profit is totally beyond me.

        I agree. Unfortunately, my twin brother decided it would be a good idea, and without even consulting with me or anyone else in our family, submitted "his" DNA. So now I'm essentially in their database, despite never having done anything to put myself in their database.

    • by Bongo ( 13261 )

      I for one never used them for that very reason.

      And how many companies have my data in other ways...

      Can we have a law that any system built which holds personal data, must give a login to the person, so each person can see what data is there about them ?

    • What bad thing will happen to me if my DNA info is leaked?

      What actual harm will occur?

      • by AmiMoJo ( 196126 )

        Discrimination. Maybe your employer hates Jews and will fire you if they discover you are one, or even 10% Jewish by DNA.

        They are selling this data for thousands of dollars, sold in batches ordered by race. Clearly there is high demand for it.

      • by clovis ( 4684 ) on Saturday October 07, 2023 @09:25AM (#63908047)

        What bad thing will happen to me if my DNA info is leaked?

        What actual harm will occur?

        Company provided group health insurance rates are based in part on that company's claims history. It could be a money-saver to eliminate employees known to have genetic disease tendencies such as BRCA gene anomalies.
        Also, the company would not want to promote high risk people into positions of greater responsibility.
        Stuff like that.

        • But my DNA shows I don't have any genetic diseases, so my insurance rates should go down.

          • by HiThere ( 15173 )

            Sorry, but your claim is impossible. We don't know enough to know that "my DNA shows I don't have any genetic diseases". Only that you don't have certain causes of certain diseases.

            That's still a reason for your insurance rates to go down, but somehow I think your suggestion that that would happen was intended as humor.

      • What bad thing will happen to me if my DNA info is leaked?

        What actual harm will occur?

        Doctors are not infallible.
        We share 60% of our DNA with bananas.

  • by anomaly256 ( 1243020 ) on Friday October 06, 2023 @08:21PM (#63907435)
    ...are going to love that data
    • ...are going to love that data

      In many countries, including America, it is illegal to use DNA data for denying or setting rates of health insurance.

      • Hopefully affected people would be able to prove that is the reason for any premium increases or policy rejections. Some insurance companies can be a bit unscrupulous.
      • by indytx ( 825419 )

        ...are going to love that data

        In many countries, including America, it is currently illegal to use DNA data for denying or setting rates of health insurance.

        Fixed that for you.

  • all i want to know is if 23andMe takes their customer’s privacy seriously.

Truly simple systems... require infinite testing. -- Norman Augustine

Working...