23andMe Investigates Unauthorized Access to Customer Accounts
In a recent development, 23andMe, the popular genetic testing company, issued a statement disclosing that certain customer profile information was accessed without authorization. The breach occurred through the DNA Relatives feature, where users opted to share their information. While the investigation is ongoing, 23andMe believes that unauthorized access was gained by threat actors who exploited recycled login credentials.
The company became aware of the suspicious activity and promptly launched an investigation to understand the extent of the breach. Preliminary findings suggest that individuals who reused their usernames and passwords from other websites, which may have been previously compromised, had their 23andMe accounts accessed without their consent. The compromised accounts contained information, including DNA Relatives profiles, for those who had opted into the service. The company is currently working to confirm the details of the breach and the extent of the unauthorized access.
Genetic privacy has been an increasing concern with the advent of broadscale consumer DNA testing. 23andMe has tested approximately 14 million individuals worldwide. Approximately 80% of consumers opt into genetic research conducted by companies like 23andMe, and when they do, they may unwittingly grant permissions that extend beyond their initial understanding. These permissions often encompass not only the sharing of de-identified DNA information with third-party researchers but also any other data shared with or collected by the company. This broader scope of data may include self-reported health information and details about relatives. In 2019, the Pentagon warned military service members against using consumer genetic companies to test their DNA due to the potential risk of exploitation.