This 23andMe Data Leak Affects Nearly 7 Million Customers

By: Catarina Williams | Published: Jan 14, 2024

Nearly 7 million users have been affected by the recent 23andMe data leak, which made mainstream news back in October of 2023. Now, new information has come to light, detailing exactly how extensive the hack was.

At the moment, about 7 million users have had their data accessed. The company has recorded about 14 million total clients in its client base.

Much More Than They Bargained For: The Confusion Around The Final Count Of The 23andMe Data Breach

Business Insider has been following this breach closely since news leaked in October of 2023. They had originally been told by representatives that just 14,000 accounts had been directly accessed.

A crowd of people swarms a city street in Hong Kong.

Source: Pexels

Further investigation has shown that nearly 7 million people have had their personal information accessed as a result of the breach alone, however.

Was Any Specific Group Targeted?

The jury is still out if there was a single, specific racial group targeted as a result of the breach.

The world’s flags hang over a city center, highlighting the diversity of the world’s races.

Source: Pexels

While the leak was originally posted to BreachForums noted that it contained the information of 1 million Ashkenazi Jews, Wired reports that there were also many people of Chinese descent who were possibly impacted.

How Did The Leak Happen?

As the investigation kicked off, 23andMe confirmed that the leak occurred through credential stuffing.

A man prepares to enter his password into his smartphone.

Source: Pexels

They also were quoted by Business Insider, stating that there was no in-system indication that would tell them if a breach or security problem were to occur in their systems. Additionally, 23andMe stated that there was no proof that they were the source of the credentials used.

Who Is At Risk For Credential Stuffing?

Now that credential stuffing has been confirmed as the mechanism for the hack, many are wondering: What is it and what should consumers know?

A person prepares to enter credentials in an attempt to hack a system.

Source: Pexels

In short, if you’ve been the victim of any past data breach, you could be at risk for further data visibility using this method.

What Is Credential Stuffing, Anyway?

Credential stuffing is often kicked off with an illegal sale of information on the dark web. Using this method, hackers can purchase previously leaked information and user IDs, attempting to use the linked credentials across sensitive sites.

A dark web enthusiast holds up a sticker of the Tor browser, used to access the webspace.

Source: Pexels

This is partly why many cybersecurity experts believe that it’s so important to have unique logins for every site you use.


Theories About The Hack Continue To Fly

23andMe went on record with Business Insider, stating that they believe that only a few hundred credentials were initially purchased for the hack.

Information leaked on the web appears on screen in strings of code.

Source: Pexels

The current quoted hypothesis is that the hackers took this information and continued to scrape the information of others over the course of the attack.


Was Any Genetic Information Leaked?

At the moment, 23andMe has stated that no raw genetic information has been leaked. This information has been cautiously confirmed as a result of a preliminary investigation.

Artistic representation of genetic information, placed against a light blue background.

Source: Pexels

However, Time has confirmed that the ancestry information and health-related information of some users has been leaked, which is considered sensitive and personal data.


What Counts As Health-Related Information?

Health-related information, in this context, includes data like a person’s health history. This is then used to determine the genetic predisposition and risk of a person based on who they are related to.

A personal medical information form sits on a physician’s desk; along with a stethoscope and a pen.

Source: Pexels

Examples of common health history conditions and entries include the presence of blood pressure disorders, asthma, or mental health conditions like anxiety.


Did Any Other Violations Take Place?

Since personal health information (or, PHI) was leaked, 23andMe could find themselves in the middle of a HIPAA complaint.

Lawyers prepare to litigate a HIPAA violation case.

Source: Pexels

HIPAA is a set of laws that protects people’s PHI, and is enforceable across the United States. It’s also known as the Health Insurance Portability and Accountability Act.


Do Customers Have Any Recourse Or Protection?

Certain acts, such as the Genetic Information Nondiscrimination Act of 2008 (GINA) protect people from any form of employment or insurance discrimination as a result of such a leak.

A lawyer reviews the GINA act prior to their PHI-related court case.

Source: Pexels

This could protect some from the potential loss of work or coverage associated with an unfavorable health outlook; if someone is genetically predisposed.


What Could Happen As A Result Of This Data Breach?

There are many different events that could occur as a result of the breach. For example, the Federal Trade Commission (FTC) ordered a smaller company (Vitagene) to tighten security protocols after a similar breach.

Double-helix DNA, illustrated against a dark blue background.

Source: Unsplash

Additionally, some victims may choose to sue, either independently or via a class action lawsuit.