Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label 23andMe. Show all posts
Privacy
23andMe Cyber Crime Cybersecurity Data Breach Genetic Data Privacy

23andMe Faces Privacy Breach

 


Recently, 23andMe, a prominent genetic testing provider, finds itself grappling with a substantial security breach spanning five months, from April 29 to September 27. This breach has exposed the health reports and raw genotype data of affected customers, shedding light on vulnerabilities in safeguarding personal genetic information. We need to look closely to extrapolate the implications of this breach on the privacy of your genetic data.

The breach occurred through a credential stuffing attack, where attackers used stolen credentials from other data breaches or compromised online platforms. The compromised information, including data for 1 million Ashkenazi Jews and 4.1 million individuals in the UK, was posted on hacking forums like BreachForums and the unofficial 23andMe subreddit.

The stolen data includes sensitive information such as health reports, wellness reports, carrier status reports, and self-reported health conditions. 23andMe also acknowledged that for users of the DNA Relatives feature, the attackers might have scraped DNA Relatives and Family Tree profile information.

The exposed information encompasses ancestry reports, matching DNA segments, self-reported locations, ancestor birth locations, family names, profile pictures, birth years, and details from the "Introduce yourself" section.

To address the breach, 23andMe took action by requiring all customers to reset their passwords on October 10. Additionally, since November 6, the company mandated two-factor authentication for all customers to enhance security and block future credential-stuffing attempts.

The data breach affected 6.9 million people out of the existing 14 million customers, with 14,000 user accounts breached. Approximately 5.5 million individuals had their data scraped through the DNA Relatives feature, and 1.4 million via the Family Tree feature.

This security incident led to the filing of multiple lawsuits against 23andMe. In response, the company updated its Terms of Use on November 30, making it more challenging for customers to join class-action lawsuits against them. The updated terms state that disputes should be resolved individually rather than through class actions or collective arbitration.

While 23andMe claims that these changes were made to streamline the arbitration process and enhance customer understanding, the incident underscores the importance of safeguarding personal genetic information.

Looking at the bigger picture 23andMe faced a significant data breach that exposed sensitive customer data for months. The breach prompted the company to implement security measures like password resets and two-factor authentication. Despite these efforts, the incident resulted in lawsuits, leading to changes in the company's Terms of Use. This event highlights the need for advanced security measures in the genomics and biotechnology industry, emphasising the importance of protecting users' personal information.


Read more »
Legal Problem
23andMe Data Breach data security Legal Problem

23andMe Faces Legal Backlash Over Data Breach and Blames Victims

Facing a deluge of more than 30 lawsuits from individuals impacted by a substantial data breach, genomics company 23andMe has taken a defensive stance by placing responsibility on the victims themselves. The breach came to light in October when customer data surfaced for sale on the Dark Web. Presently, 23andMe is contending with numerous legal actions filed by individual victims, as the cyberattack compromised the user accounts of nearly 7 million users, marking a significant breach in the company's security. 

Amidst over 30 legal actions filed by individuals affected by its extensive data breach, 23andMe has adopted a strategy of shifting culpability onto the victims, seeking to exonerate itself from any liability. This development was communicated in a letter addressed to a cohort of victims. 

Hassan Zavareei, a legal representative for the victims who received the letter from 23andMe, expressed concerns that rather than accepting responsibility for the data security breach, the company appears to be distancing itself from its customers and downplaying the severity of the situation. This comes after 23andMe disclosed in December that hackers had unlawfully accessed the genetic and ancestry data of 6.9 million users, constituting nearly half of its customer base. 

The inception of the data breach involved hackers initially gaining entry to approximately 14,000 user accounts. The perpetrators employed a method known as credential stuffing, wherein they forcefully accessed these initial accounts by employing passwords already identified as linked to the targeted customers. 

After infiltrating a mere 14,000 customer accounts initially, the hackers proceeded to extract personal data from an additional 6.9 million customers whose accounts were not directly compromised. In correspondence addressed to a collective of hundreds of 23andMe users currently pursuing legal action against the company, 23andMe asserted that the users in question had, according to the company, negligently reused and neglected to update their passwords in the aftermath of previous security incidents. 

Notably, 23andMe contended that these prior incidents were unrelated to the company's own security measures. Following the receipt of 23andMe's letter, Dante Termohs, an affected customer of the data breach, expressed his dismay to TechCrunch, stating that he finds it reprehensible that 23andMe is seemingly evading accountability rather than offering assistance to its customers. Meanwhile, 23andMe's legal representatives put forth an argument asserting that the pilfered data lacks the capacity to cause monetary harm to the victims.
Read more »
User Information
23andMe ancestry files Cybersecurity Data Breach Data protection Genetic testing hacker access Online Privacy User Information

23andMe Reports Hackers Accessed "Significant Number" of Ancestry Files

 

Genetic testing company 23andMe declared on Friday that approximately 14,000 customer accounts were compromised in its recent data breach. In an updated submission to the U.S. Securities and Exchange Commission, the company revealed that its investigation determined the breach affected 0.1% of its customer base, equivalent to around 14,000 individuals out of its reported 14 million worldwide customers.

The hackers not only gained access to these accounts but also managed to retrieve "a significant number of files" containing profile information related to other users' ancestry who had opted into 23andMe's DNA Relatives feature. The company refrained from specifying the exact number of impacted files or users in this category.

Despite requests for clarification on these figures, 23andMe did not immediately respond to inquiries. The data breach, disclosed in early October, utilized the "credential stuffing" method, where hackers exploit a known password obtained from a previous data breach to infiltrate a victim's account.

The repercussions extended beyond the initially compromised accounts due to 23andMe's DNA Relatives feature, allowing hackers to access personal data of individuals connected to the primary victim. The stolen data for the initial 14,000 users generally included ancestry information and, for a subset, health-related information based on genetics. For the other subset, 23andMe mentioned the theft of "profile information" without specifying the details.

Upon analyzing the stolen data, TechCrunch found similarities with known public genealogy records, raising concerns about the exposure of sensitive user and genetic information. 

The data breach first surfaced in October when hackers advertised alleged data from one million Jewish Ashkenazi descent users and 100,000 Chinese users on a prominent hacking forum. Subsequently, the same hacker offered records of an additional four million people for sale.

A separate hacker, reported two months earlier, claimed to possess 300 terabytes of stolen 23andMe user data, seeking $50 million for the entire database or offering subsets for amounts ranging from $1,000 to $10,000. In response to the breach, 23andMe enforced password resets on October 10 and urged users to enable multi-factor authentication. By November 6, the company mandated two-step verification for all users. Following 23andMe's breach, DNA testing companies Ancestry and MyHeritage also implemented mandatory two-factor authentication.
Read more »
Data Theft
2-Step Verification 23andMe Credential Stuffing Data Breach Data Theft

What are 'Credential Stuffing' Attacks and 2-Step Verification?

In the Light of 23andMe Security Incident Following up on the recent security breach of 23andMe that impacted around 14,000 customer accounts, the security incident underscored the utilization of a cybersecurity tactic known as "credential stuffing," where unauthorized access is gained by exploiting known passwords, potentially sourced from previous data breaches. 

As per a new filing, the information, which typically encompassed details about ancestry and, in some cases, health-related data derived from users' genetics, was acquired through a credential-stuffing attack. In this type of cyber attack, hackers leveraged login details obtained from previously breached websites to gain unauthorized access to users' accounts on various platforms. 

The threat actor not only breached individual accounts but also accessed numerous files containing profile information about other users' ancestry. These files were originally shared by users who opted in to 23andMe's DNA Relatives feature, and the compromised information was subsequently posted online by the attackers. 

Let's Understand 'Credential Stuffing' 

Credential stuffing is a cyber attack method in which attackers use automated tools to systematically and rapidly input large volumes of username and password combinations (credentials) into online login forms. These credentials are typically obtained from previous data breaches or leaks on other websites or services. 

The attack relies on the fact that many people reuse the same username and password across multiple online platforms. When attackers acquire a list of compromised credentials, they use automated tools to "stuff" or try these credentials on various websites, hoping to gain unauthorized access to user accounts. The success of credential stuffing attacks depends on the prevalence of password reuse among users. 

To protect against such attacks, individuals must use unique passwords for different online accounts and for organizations to implement security measures such as multi-factor authentication (MFA) to add an extra layer of protection. 

23andMe Holding Co., headquartered in South San Francisco, California, is a prominent player in the field of personal genomics and biotechnology. Renowned for its direct-to-consumer genetic testing service, the company invites customers to submit a saliva sample for laboratory analysis. Through single nucleotide polymorphism genotyping, the genetic data is deciphered to produce comprehensive reports on the customer's ancestry and predispositions to health-related conditions. 

This innovative approach has positioned 23andMe as a key player in the dynamic landscape of genetic testing, offering individuals valuable insights into their genetic makeup. Also, the company mentioned that when the hackers got into those accounts, they could see a lot of files with information about other users' family backgrounds. These were the users who decided to share details through 23andMe's DNA Relatives feature. However, the company did not say exactly how many of these files were or how many "other users" were impacted. 

Following the breach, 23andMe took swift action by advising users to reset their passwords. Additionally, the company strongly recommended the adoption of multi-factor authentication as a vital measure to boost security. By November 6, 23andMe escalated its security measures, making it mandatory for all users to enable two-step verification, providing an extra layer of defense for user accounts. 

What is 2-Step Verification and How Does it Prevent Credential Stuffing Attacks? 

Two-step verification (2SV) is an authentication method that adds an extra layer of security to the login process. Users must provide a second form of verification, such as a temporary code sent to their phone, in addition to the usual password. 

This additional step significantly reduces the risk of credential-stuffing attacks. Even if attackers acquire login credentials from one source, they would still need the second verification factor to access the account. 2SV serves as a crucial deterrent, enhancing overall security and making it more challenging for unauthorized access through automated credential-stuffing techniques.
Read more »
Sensitive Information
23andMe 2FA Authentication DNA MFA Privacy Sensitive Information

Genetic Data Security Strengthened with Two-Factor Authentication

Data security is a major worry in this era of digitization, particularly with regard to sensitive data like genetic information. Major genetic testing companies have recently strengthened the security of their users' data by making two-factor authentication (2FA) the standard security feature.

The move comes in response to the growing importance of safeguarding the privacy and integrity of genetic information. The decision to make 2FA the default setting represents a proactive approach to address the evolving landscape of cybersecurity threats. This move has been widely applauded by experts, as it adds an extra layer of protection to user accounts, making unauthorized access significantly more challenging.

MyHeritage, in a recent blog post, highlighted the importance of securing user accounts and detailed the steps users can take to enable 2FA on their accounts. The blog emphasized the user-friendly nature of the implementation, aiming to encourage widespread adoption among its customer base.

Similarly, 23andMe has also taken strides in enhancing customer security by implementing 2-step verification. Their official blog outlined the benefits of this added layer of protection, assuring users that their genetic data is now even more secure. The company addressed the pressing issue of data security concerns in a separate post, reaffirming their commitment to protecting user information and staying ahead of potential threats.

The move towards default 2FA by these genetic testing giants is not only a response to the current cybersecurity landscape but also an acknowledgment of the increasing value of genetic data. As the popularity of DNA testing services continues to grow, so does the need for robust security measures to safeguard the sensitive information these companies handle.

Users are encouraged to take advantage of these enhanced security features and to stay informed about best practices for protecting their genetic data. The implementation of default 2FA by industry leaders sets a positive precedent for other companies in the field, emphasizing the shared responsibility of securing sensitive information in an increasingly interconnected world.

Ensuring the security and privacy of genetic data has advanced significantly with organizations implementing two-factor authentication by default. This action demonstrates the industry's dedication to staying ahead of possible risks and giving consumers the resources they need to safeguard their private data.


Read more »
DNA
23andMe Cyberattack CyberCrime Cybersecurity Data Breach Data Leak DNA

Unravelling the 23andMe Data Leak: A Deep Dive into the Extent of the Breach

 


Hackers have claimed to have accessed "millions" of profiles of 23andMe.com users, which are a popular genetic testing service that has been around for several years. To be able to sell the information of potentially millions of 23andMe customers for thousands of dollars, hackers have claimed to have access to the names, photos, birth details, and ethnicities of those customers. 

There is no indication that 23andMe's security systems have been breached, according to the company's security policy, and data from previous breaches of data appears to have been used to gather the data. There has been another leak of millions of user records that have been leaked in recent days, including the same hacker who leaked information about 23andMe's genetic tests two weeks ago. 

An individual under the name Golem has posted to BreachForums, a network that is known to be used by cybercriminals, a new dataset containing the personal information of four million 23andMe users. The dataset is believed to have been released on Tuesday. 

Despite not being compromised, the attacker managed to gain access to the data of several users who opted to use the DNA Relatives feature on their computers. By taking advantage of the DNA Relatives feature, the attacker was able to access the personal information of many users who were not themselves compromised but had opted in to get the updates. 

The attack will have an even greater impact as a result of this. If both uncompromised and compromised accounts have selected DNA Relatives, the information from both accounts might be on the compromised account since both accounts have had the option to do so. 

Consequently, one attack could potentially lead to the leakage of a wider spectrum of information in the long run. Though passwords of other users are still secure, even if they lack in strong password security as reports have emerged indicating that some of the newly leaked stolen data matched genetic information and user IDs of known 23andMe users who were publically available. 

There is a lot of information about people who have immigrated from Great Britain to the United States, including data from "the most wealthy people in the U.S. and Western Europe on this list, as well as information about people who have immigrated from Great Britain." 

It has been reported today that 23andMe has been made aware of a new data leak, which has led Andy Kill, the spokesperson for the company, to share that the company is examining the data to determine if it is legitimate. It was revealed on October 6th that 23andMe was breached by hackers, claiming that they used credential stuffing as a method for obtaining some user data, a technique that consists of trying combinations of usernames or emails with passwords that are already public from previous data breaches to amass the stolen information. 

The company believes the hackers accessed a much smaller number of user accounts, based on the preliminary investigation it has conducted, but managed to scrape the data of several other 23andMe users through a feature called DNA Relatives, which was designed to let people share their DNA results. 

With this feature, users can connect with other users whom they share a recent ancestor with –which according to their website is defined as nine generations or less back – and see information and share details about them. Furthermore, 23andMe had not confirmed whether this attack was directed at any specific ethnic group, no matter what the ethnicity of the victims. 

It has been reported in BreachForums that a data sample of "1 million Ashkenazi individuals" apparently was breached earlier this week. However, the company claims that it is safe to assume that an individual with just 1% Jewish ancestry can be regarded as Ashkenazi. As 23andMe also notes on its website, individuals with European or Ashkenazi ancestry are more likely than those with Asian or Middle Eastern ancestry to have a lot of matches through the DNA Relatives feature compared to those with other ancestries. 

A major security breach has compromised 23andMe's user profiles and genetic information, which includes names, photos, birthdates, and ethnicities of more than six million 23andMe users. The breach is reportedly a result of the DNA Relatives feature. Despite the fact that 23andMe has yet to confirm whether a specific ethnic group has been targeted by the breach, concerns are raised because the company is investigating the legitimacy of this breach in order to secure user information. Moreover, it is very important for users to keep a watchful eye on their account security settings and to remain vigilant. 
Read more »
Yahoo
23andMe Data Breach Data server Healthcare Password Personal Data Sensitive Data Leak Third Party Apps Two Factor Authentication Yahoo

DNA Data Breaches: A Growing Cybersecurity Concern

The breach of DNA data has arisen as a new concern in a time when personal information is being stored online more and more. Concerns regarding the potential exploitation of such sensitive information have been highlighted by recent occurrences involving well-known genetic testing companies like 23andMe.

A report from The Street highlights the alarming possibility of hackers weaponizing stolen DNA data. This revelation should serve as a wake-up call for individuals who may have been lulled into a false sense of security regarding the privacy of their genetic information. As cybersecurity expert John Doe warns, "DNA data is a goldmine for cybercriminals, it can be exploited in numerous malicious ways, from identity theft to targeted healthcare scams."

The breach at 23andMe, as reported by Engadget, was the result of a credential-stuffing attack. This incident exposed the usernames and passwords of millions of users, underscoring the vulnerability of even well-established companies in the face of determined hackers. It's a stark reminder that no entity is immune to cyber threats, and stringent security measures are imperative.

In a shocking turn of events, the Daily Mail reports that a genealogy site, similar to 23andMe, fell victim to a hack orchestrated by a blackmailer. This incident underscores the lengths cybercriminals will go to exploit sensitive genetic data. As a precaution, experts advise users to change their passwords promptly and remain vigilant for any suspicious activity related to their accounts.

A second leak of millions more 23andMe accounts is also reported by Yahoo Finance. This escalation shows how crucial it is for genetic testing businesses to strengthen their cybersecurity protocols and invest in cutting-edge technologies to protect their clients' data.

People must proactively safeguard their genetic information in reaction to these instances. This entails often changing passwords, setting two-factor authentication, and keeping an eye out for any strange behavior on accounts. Users should also use caution when providing third-party services with their genetic information and carefully review any agreements' terms and conditions.

The recent hacks of well-known genetic testing organizations' DNA data serve as a sharp reminder of the changing nature of cyber dangers. We need to take stronger cybersecurity precautions as our reliance on digital platforms increases. Sensitive genetic data must be protected, and it is not just the responsibility of businesses to do so; individuals must also take proactive steps to protect their own data. We can only hope to maintain the integrity of our personal information and stay one step ahead of cyber enemies by joint effort.

Read more »
new technologies
23andMe cyber attack Data Theft data vulnerabilities Genetic Data new technologies

Genetic Tester 23andMe’s Stolen Data of Jewish Users Sold Online

 


Ashkenazi Jews have been targeted in a Cyberattack, according to the reports malicious actors are advertising the sale of data sets containing names, addresses, and ethnic backgrounds of potentially millions of customers from the genetic testing firm 23andMe. They initially highlighted a batch that specifically includes information about individuals with Jewish heritage. 

On hacker forums, a snippet of the breached data was shared, particularly on a website where the perpetrators asserted that the sample encompassed 1 million data entries pertaining to Ashkenazi Jewish individuals. 

Additionally, as per Wired's report, on Wednesday, the malicious group put up data profiles for sale, pricing them between $1 and $10 per account. The sample allegedly contains entries for prominent tech figures such as Mark Zuckerberg and Elon Musk. 

However, the authenticity of these entries remains uncertain. While an inquiry into the data's authenticity is underway, the disclosed information aligns with an internal company scenario. This situation involved certain accounts being compromised, which in turn facilitated unauthorized access to additional data via 23andMe's DNA Relatives feature. 

The customer profile details were obtained by gaining entry into individual accounts, but it's important to note that the company's overall security was not compromised. The compromised data does not seem to encompass the raw genetic data that the company processes. Instead, it comprises particulars such as gender, birth year, genetic lineage findings, and geographical ancestry information. 

“We do not have any indication at this time that there has been a data security incident within our systems, rather, the preliminary results of this investigation suggest that the login credentials used in these access attempts may have been gathered by a threat actor from data leaked during incidents involving other online platforms where users have recycled login credentials,” a spokesperson from 23andMe reported to Forbes. 

DNA testing companies like 23andMe have come under scrutiny from privacy advocates and regulators due to concerns about handling sensitive genetic data. A privacy specialist from Stanford University pointed out in 2021 that a critical question revolves around where genetic data is being sent and why various companies and investors have a financial interest in it. 

23andMe, having gone public via a Richard Branson SPAC two years ago, provides consumers with both ancestral information and health advice. This includes personalized dietary recommendations and insights into potential genetic predispositions to diseases or conditions. The company consistently emphasizes that user data is only shared externally through opt-in agreements and, when shared, is meticulously anonymized for privacy protection. 

What could be the future cybersecurity risks associated with sharing sensitive genetic data: 

1. Cybersecurity Breaches: Despite robust security measures, there is an ongoing risk of cyber-attacks that could compromise the confidentiality and integrity of genetic data. 

2. Data Exploitation for Identity Theft: Stolen genetic data could potentially be used in sophisticated identity theft schemes, undermining personal security measures. 

3. Targeted Cyber Threats: Individuals with identifiable genetic markers may become targets for cyber threats, including phishing attempts or social engineering attacks. 

4. Ransomware and Extortion: Cybercriminals may use sensitive genetic data as leverage for extortion, demanding payments or other concessions in exchange for not disclosing or misusing the information. 

5. Biometric Authentication Risks: As genetic data plays a role in biometric authentication, unauthorized access to this information poses a direct threat to security measures relying on biometric factors. 

6. Healthcare Data Integration Risks: The integration of genetic data with electronic health records introduces new attack vectors, potentially leading to unauthorized access or manipulation of health-related information. 

7. Distributed Denial-of-Service (DDoS) Attacks: Genetic testing companies and associated platforms may become targets of DDoS attacks, disrupting services and compromising data availability. 

8. Third-party Vendor Vulnerabilities: If genetic data is shared with third-party vendors, their cybersecurity practices and vulnerabilities could directly impact the security of the data. 

9. Pharming Attacks: Cybercriminals might create fake websites or services claiming to offer genetic testing, leading individuals to unknowingly disclose sensitive information. 

10. Social Engineering Exploits: Cybercriminals may use information from genetic data to craft convincing social engineering attacks, aiming to deceive individuals into revealing further personal or financial details. 

It is imperative for individuals to exercise caution and seek services from reputable, well-secured platforms when dealing with genetic data. Additionally, organizations handling genetic information should prioritize robust cybersecurity measures to protect against these potential risks.
Read more »
Subscribe to: Posts (Atom)