23andMe Confirms Data Breach That Started as a Credential Stuffing Attack

23andMe confirmed that the millions of genetic profiles and personal information that leaked only a month ago were part of a security incident, according to a filing with the Securities and Exchange Commission (SEC).

Some of the data that ended up online includes users' full names, usernames, profile photos, date of birth, sex, genetic ancestry details, and location. However, the biggest problem for the company is a feature named DNA Relatives.

When using 23andMe, DNA Relatives lets users match their results with others who participated in the program, including sensitive information. According to a report by The Verge, 5.5 million DNA Relatives' profiles ended up online even though they weren’t part of the original data breach.

This leads to the real method hackers used to access the initial profiles. It turns out that it was a classic credential-stuffing attack, which means criminals used credentials from other data breaches to gain access to 23andMe accounts. Statistically, at least 21 percent of people use the same credentials when creating new accounts.

"Based on its investigation, 23andMe has determined that the threat actor was able to access a very small percentage (0.1%) of user accounts in instances where usernames and passwords that were used on the 23andMe website were the same as those used on other websites that had been previously compromised or were otherwise available," the company explained in the SEC filing.

While 0.1 percent seems very small, it's around 14,000 people. However, with the DNA Relatives option enabled on those compromised accounts, the number of leaked profiles grew exponentially.

Since the incident, 23andMe has taken a couple of steps to fix the problem and strengthen security. First of all, all users had to reset their passwords, and starting Nov. 6, two-step verification is mandatory for anyone logging in to the service.

The company also revealed in the SEC filing that the security incident already cost them between $1 million and $2 million, and multiple class action claims have been filed against the company.