23andMe Privacy Mess: Hacker Steals Millions of Profiles

23andMe is a personal genomics and biotechnology company based in Sunnyvale, California. In this state, data is regulated by CCPA - the first federal law of its kind in the US, and one that was modeled on GDPR.

The company was founded in 2006 by Linda Avey, Paul Cusenza, and Anna Wojcicki. It now has over 14 million customers worldwide, making it a leading player in the $3 billion genetic testing market.

After customers send in a saliva sample, 23andMe returns a personalized genetic report that makes for fascinating reading. The exact details included depend on the chosen package, with prices ranging from $100 to nearly $300. But the report can cover everything from ancestry to genetic health risks. It can also provide information on physical characteristics, sensory traits, and other behavioral features.

In October 2023, 23andMe experienced two data leaks.

First 23andMe Hack

On October 6th, the company announced that a hacker had compromised its database through "credential stuffing". In effect, the cybercriminal accessed personal accounts with login credentials that had previously been stolen from other online services, in other data breaches, and most probably by other hackers.

Because many people reuse their login details across multiple accounts, this tactic works. The hacker evaded 23andMe's security protocols using valid usernames and passwords Therefore, the company has advised all its customers to update their passwords immediately.

Second 23andMe Hack

Then on October 17th, the same hacker published a fresh dataset on four million 23andMe customers on cybercrime site BreachForum.

However, it seems the campaign began months before the leak became known to the public, and maybe even the company itself. Advertisements for 23andMe data appeared on the Dark Web's Hydra cybercrime forum in early August. TechCrunch also verified that this data aligned with the user information Golum offered for sale in October.

In addition to DNA ancestry, the stolen data features email addresses, genders, photos, and birth dates. Attackers could exploit this data to target users based on their ethnicity, sparking concerns that hackers might use the stolen information to promote hate crimes.

However, little more is known about this hack for the time being. The hacker Golum remains shrouded in mystery, and it's equally unclear whether their motivation was financial or political, or exactly how they actually obtained the data in the first place.

Previous 23andMe Privacy Violation

It's also worth noting that this is not the first 23andMe privacy issue. Back in 2018, it was revealed that the company sold genetic data from five million customers to pharmaceutical conglomerate GlaxoSmithKline (GSK). While this might aid in developing better drugs, it compromises personal data security.

Following the initial hack in early October, Golum, who was anonymous at the time, announced on the cybercrime marketplace BreachForums that they had a "one million Ashkenazi database" available for sale.

“Ashkenazi" is a rabbinical word that refers to the Jewish diaspora that has lived along the Rhine in Germany and France from the Middle Ages.

Since the first 23andMe leak, the database of genetic profiles has grown to include 4 million people. The hacker claims that their actions stemmed from anger towards Israel and its supporters.

This act is reprehensible, especially considering the violence experienced by Israeli citizens over the past two weeks.

Golum also asserts that the dataset includes some of "the wealthiest individuals from the U.S. and Western Europe." Allegedly, this list contains data related to the British Royal family and prominent families like the Rothschilds and Rockefellers.

However, one third of the stolen profiles are of German origin - a country that takes an uncompromising stance on privacy.

Reports indicate that individual 23andMe customer profiles are available for purchase at $10. The price drops to $1 per profile when bought in bulk, specifically in lots of 100,000. Yet, determining their true value is challenging since many of the 4 million customer profiles have already appeared online, allowing individuals to essentially download them without cost.

The 23andMe privacy leak is undoubtedly not the first suffered by the Direct-to-Consumer Genetic Testing (DTC-GT) industry.

In February 2023, popular DNA testing firm DNA Diagnostics Center (DDC) settled a lawsuit that arose from the theft of a database on 2.1 million people that it had “forgotten” about. 

Vitagene's AWS database leaked consumer information for years before experts detected the issue in 2019. In 2018, someone discovered the details of over 92 million MyHeritage accounts on a private server. Meanwhile, Ancestry.com acknowledged in 2017 that attackers had accessed the usernames, email addresses, and passwords of 300,000 users.

Every year, the industry experiences a significant data leak, theft, or breach.

This is bad news given just how many people have now spat into an envelope to learn more about themselves. In 2018, more DNA tests were bought than in every previous year in history combined. And since 2019, the four largest DTC-GT companies have tested more than 26 million people worldwide.

At TWIPLA, we strongly advise against sending your saliva samples over the internet. We also recognize the dangers associated with sharing personal data, and especially sensitive biometric information.

In essence, providing a DNA sample to any third-party company carries inherent risks. With data breaches, hacks, and leaks occurring regularly, personal data and the Dark Web make for dangerous bedfellows.

And unlike other types of data, genetic information cannot be scrubbed of personal identifiers and will reveal highly intimate details about the data subject.

When you combine the genetic information with other personal details in 23andMe’s customer profiles, it creates opportunities for identity theft, fraud, and even blackmail based on genetic vulnerabilities.

Insurers and employers might discriminate against those affected by the leak, limiting opportunities based on a person's genetic makeup. Moreover, the nature of genetic data puts family members at risk as well.

That’s the 23andMe Privacy Mess Explained

It's a strange time for data privacy advocacy.

On the one hand, policymakers continue to introduce new laws that restrict what companies can do with internet user data.

But on the other hand, the amount of personal data available online continues to grow.

The increasing popularity of online genetic testing is a good example of this, while the 23andMe privacy issues of the last month show just how vulnerable genetic data is to threats. Data privacy remains a mess but thankfully, many individuals and organizations are fighting to protect internet users from harm.

At TWIPLA, we believe in both strengthening global privacy laws and minimizing the personal data that companies collect on their users. These principles form the foundation for our website intelligence solution. That's why we power all our tools with cookieless tracking. And in Max Privacy Mode, we don't collect any personal data whatsoever.

If you want to join the fight for stronger data protection online, then you can help by choosing companies that take data privacy seriously.

So sign up to TWIPLA and see what you can do with website analytics that doesn't put visitors at risk.