cyber Breach

23andMe

Oct 15, 2023 1 min read
23andMe

23andMe discovered that specific customer profile data that customers had agreed to share through their DNA Relatives function had been gathered from individual accounts without the users' consent.

They launched an investigation as soon as they became aware of any suspicious conduct.

While they are still looking into this situation, they think that when individuals reused login information, threat actors may have gained access to some accounts.

According to the company, the threat actor may then have accessed certain 23andMe.com accounts without authorization in violation of their Terms of Service and obtained information from those accounts, including details about users' DNA Relatives profiles, to the extent a user opted into that service.

Source: https://blog.23andme.com/articles/addressing-data-security-concerns

TPRM report: https://scoringcyber.rankiteo.com/company/23andme

"id": "23a24161023",
"linkid": "23andme",
"type": "Data Leak",
"date": "10/2023",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'industry': 'Biotechnology',
                        'name': '23andMe',
                        'type': 'Company'}],
 'attack_vector': 'Credential Reuse',
 'data_breach': {'sensitivity_of_data': 'Medium to High',
                 'type_of_data_compromised': 'DNA Relatives profiles'},
 'description': '23andMe discovered that specific customer profile data that '
                'customers had agreed to share through their DNA Relatives '
                'function had been gathered from individual accounts without '
                "the users' consent. They launched an investigation as soon as "
                'they became aware of any suspicious conduct. While they are '
                'still looking into this situation, they think that when '
                'individuals reused login information, threat actors may have '
                'gained access to some accounts. According to the company, the '
                'threat actor may then have accessed certain 23andMe.com '
                'accounts without authorization in violation of their Terms of '
                'Service and obtained information from those accounts, '
                "including details about users' DNA Relatives profiles, to the "
                'extent a user opted into that service.',
 'impact': {'data_compromised': ['DNA Relatives profiles']},
 'initial_access_broker': {'entry_point': 'Reused login information'},
 'investigation_status': 'Ongoing',
 'motivation': 'Data Theft',
 'post_incident_analysis': {'root_causes': ['Credential Reuse']},
 'title': 'Unauthorized Access to 23andMe DNA Relatives Data',
 'type': 'Unauthorized Access',
 'vulnerability_exploited': 'Reused login information'}
Published by
Roshni Ray
Roshni Ray
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.