Customers of DNA company 23andMe may want to secure their online profiles after the company announced Friday it was investigating the alleged leak of user data information.
Wired.com and multiple cybersecurity sites are reporting that hackers this week posted claims that they had at least 1 million data points from the DNA company and offered them for sale.
Recommended Videos
23andMe markets DNA kits, and provides customers with information on genetics, health and ancestry.
In a statement by 23andMe, a spokesperson said the company did not believe that its own data systems were compromised.
Instead, the company believes the perpetrators used a process called credential stuffing. This is when hackers obtain compromised online log-ins and plug them into other websites to try and gain access.
It’s believed the hackers used those compromised credentials to log into a 23andMe service called DNA Relatives, which is an opt-in feature that allows people to contact relatives who are also using the service.
The data includes information that the user would have added to their profile, including a display name, a profile photo, sex, birth year and location. The profile also would include some genetic ancestry data, like a person’s ancestral geographic region, but not raw genetic data.
Finally, the hacker would have been able to access the potential relatives the user contacted through DNA Relatives.
“We believe that the threat actor may have then, in violation of our terms of service, accessed 23andme.com accounts without authorization and obtained information from those accounts. We are taking this issue seriously and will continue our investigation to confirm these preliminary results,” a spokesperson said.
In the meantime, 23andMe is urging customers to reset their passwords and consider adding 2-step verification to their 23andMe accounts.
Get today’s headlines in minutes with Your Florida Daily: