23andMe says private user data is up for sale after being scraped::Records reportedly belong to millions of users who opted in to a relative-search feature.

  • stifle867@programming.dev
    link
    fedilink
    English
    arrow-up
    18
    arrow-down
    1
    ·
    1 year ago

    As unfortunate is this is, the more it happens my hope is that people understand how important your privacy and security is on the internet. Trying to explain it to people feels like a losing battle at times. It’s easier when you can point and say “how would you feel about your genetic information being sold on the internet?”

  • AutoTL;DR@lemmings.worldB
    link
    fedilink
    English
    arrow-up
    12
    ·
    1 year ago

    This is the best summary I could come up with:


    Genetic profiling service 23andMe has commenced an investigation after private user data was been scraped off its website

    Friday’s confirmation comes five days after an unknown entity took to an online crime forum to advertise the sale of private information for millions of 23andMe users.

    The crime forum post claimed the attackers obtained “13M pieces of data.” 23andMe officials have provided no details about the leaked information available online, the number of users it belongs to, or where it’s being made available.

    On Friday, The Record and Bleeping Computer reported that one leaked database contained information for 1 million users of Ashkenazi heritage, all of whom had opted in to the DNA relative service.

    While there are benefits to storing genetic information online so people can trace their heritage and track down relatives, there are clear privacy threats.

    Even if a user chooses a strong password and uses two-factor authentication as 23andMe has long urged, their data can still be swept up in scraping incidents like the one recently confirmed.


    The original article contains 647 words, the summary contains 170 words. Saved 74%. I’m a bot and I’m open source!

  • fjordo@feddit.uk
    link
    fedilink
    English
    arrow-up
    11
    arrow-down
    3
    ·
    edit-2
    1 year ago

    They sent me this boilerplate response when I emailed them. Reported them to the ICO anyway.

    Hello,

    Thank you for contacting the 23andMe Team. We recently learned that certain 23andMe customer profile information that they opted into sharing through our DNA Relatives feature, was compiled from individual 23andMe.com accounts without the account users’ authorization. After learning of suspicious activity, we immediately began an investigation. While we are continuing to investigate this matter, we believe threat actors were able to access certain accounts in instances where users recycled login credentials – that is, usernames and passwords that were used on 23andMe.com were the same as those used on other websites that have been previously hacked. We believe that the threat actor may have then, in violation of our Terms of Service, accessed 23andMe.com accounts without authorization and obtained information from certain accounts, including information about users’ DNA Relatives profiles, to the extent a user opted into that service.

    23andMe is committed to providing you with a safe and secure place where you can learn about your DNA knowing your privacy is protected. We are continuing to investigate to confirm these preliminary results. We do not have any indication at this time that there has been a data security incident within our systems, or that 23andMe was the source of the account credentials used in these attacks.

    At 23andMe, we take security seriously. We exceed industry data protection standards and have achieved three different ISO certifications to demonstrate the strength of our security program. We actively and routinely monitor and audit our systems to ensure that your data is protected. When we receive information through those processes or from other sources claiming customer data has been accessed by unauthorized individuals, we immediately investigate to validate whether this information is accurate. Since 2019 we’ve offered and encouraged users to use multi-factor authentication (MFA), which provides an extra layer of security and can prevent bad actors from accessing an account through recycled passwords.

    We encourage our customers to take as much action to keep their account and password secure. Out of caution, we recommend taking the following steps:

    • Confirm you have a strong password, one that is not easy to guess and that is unique to your 23andMe account. If you are not sure whether you have a strong password for your account, reset it by following the steps outlined here.
    • Please be sure to enable multi-factor authentication (MFA) on your 23andMe account. You can enable MFA by following the steps outlined here.
    • Review our Privacy and Security Checkup page with additional information on how to keep your account secure.

    23andMe is here to support you. We will be following up with you if more information becomes available. You can also watch our blog for more updates: https://blog.23andme.com/

  • furrious09
    link
    fedilink
    English
    arrow-up
    8
    ·
    edit-2
    1 year ago

    As someone who hasn’t personally done any of these tests but whose relatives (aunts/cousins) have, does anyone know how much of my personal information is now up for sale?