top of page
Search
Writer's pictureM R
3 min read

23andMe’s Security Lapse: A Mega-Breach Unveiled


23andMe, the biotech and DNA-collection company, has confessed to a grave oversight: it failed to detect any malicious activity for an entire five-month period while attackers infiltrated user accounts.


The Breach Timeline

  • Attackers’ Entry: Between April 29 and September 27, 2023, cybercriminals exploited credential stuffing techniques to gain unauthorized access to user accounts.

  • Silent Intrusion: Astonishingly, 23andMe’s internal security tools remained oblivious to the ongoing breach. No alarms were raised during this critical period.

  • Reddit’s Unintended Clue: The breach came to light only in October when a Reddit post surfaced, hinting at the sale of compromised data. It was a vigilant Reddit user who inadvertently blew the whistle.

The Vulnerable Data

  • DNA Relatives Feature: The breached accounts primarily belonged to users who had enabled the DNA Relatives feature. This feature allows users to find potential relatives based on DNA matches.

  • Exposed Information: The compromised data included:

  • Basic profile details (last login, relationship labels, predicted relationships).

  • Percentage of shared DNA.

  • Account display names (configurable by users).

  • Optional additional information shared with DNA matches (ancestry reports, matching DNA segments, family trees, and more).

The Wake-Up Call

  • Credential Stuffing: Detecting credential stuffing attacks can be challenging. Attackers use legitimate credentials, making it hard to distinguish from normal user activity.

  • Two-Factor Authentication (2FA): The industry’s age-old advice remains relevant—enable 2FA. 23andMe, unfortunately, mandated it only in November, well after the breach was detected.

Lessons Learned

  • Vigilance Matters: Organizations must remain vigilant, even when dealing with sensitive data like DNA profiles.

  • Swift Detection: Early detection is crucial. Implement robust monitoring and response mechanisms.

  • Privacy Protection: As technology advances, safeguarding user privacy becomes paramount. The breach underscores the need for stringent security practices.


The Biosecurity Implications

While the recent 23andMe breach primarily involved compromised user accounts and sensitive genetic data, it also raises biosecurity concerns that extend beyond individual privacy. Here’s how this breach could potentially become a bio threat to the average person:

1. Genetic Blackmail and Extortion

  • Targeted Attacks: Imagine a scenario where malicious actors gain access to your DNA data. They could threaten to reveal sensitive health information or genetic predispositions unless you comply with their demands.

  • Health Insurance Discrimination: Genetic information could be used against you by health insurance companies. If they discover unfavorable health markers in your DNA, they might deny coverage or increase premiums.

2. Identity Theft and Impersonation

  • Biometric Identity: Our DNA is a unique identifier. If someone gains access to your genetic data, they could potentially impersonate you in various contexts—medical records, legal proceedings, or even criminal activities.

  • Medical Fraud: Fraudsters might use your genetic information to obtain prescription drugs, medical services, or disability benefits in your name.

3. Targeted Biological Attacks

  • Designer Pathogens: With knowledge of your genetic vulnerabilities, attackers could engineer targeted biological agents. These could exploit specific genetic weaknesses, causing harm or even fatalities.

  • Ethnic Bioweapons: Genetic data could be weaponized to create bioweapons that selectively affect certain ethnic or racial groups.

4. Familial Implications

  • Family Tree Vulnerabilities: By compromising your DNA Relatives feature, attackers gain insights into your family tree. This could lead to targeted attacks on your relatives.

  • Inherited Health Risks: If your genetic data reveals hereditary health conditions, it affects not only you but also your family members.

5. Population-Level Threats

  • Aggregate Data: Aggregated genetic data from breaches could reveal broader patterns. For instance, identifying common genetic markers in a specific population could lead to targeted attacks or discrimination.

  • Bioinformatics Research: Researchers rely on large-scale genetic datasets. If compromised data enters research databases, it could skew scientific findings or lead to unintended consequences.

Mitigation Strategies

  1. Encryption and Access Controls: Companies like 23andMe must prioritize robust encryption and access controls to safeguard genetic data.

  2. Transparency and Consent: Users should be fully informed about data usage and consent options.

  3. Legislation and Regulation: Governments must enact and enforce laws that protect genetic privacy and penalize breaches.

  4. Genetic Literacy: Educating the public about the risks and benefits of genetic testing is crucial.




Remember, our genetic information is precious.

bottom of page