In a recent statement made by the company spokesperson of 23andMe, it was noted that hackers gained access to customer accounts through reused passwords. The amount of data they retrieved was much higher than what the company initially stated.
The updated statistics come as a result of an investigation the company launched in October. The data leak was first reported on by TechCrunch. They were able to gain data from millions of users through reused passwords and then exploit further features on the site.
The hackers at first used ‘credential stuffing’ which would take a list of passwords and insert it into a site until they got access. Similar to brute force attacks, it grants access through repetitive tries. Doing credential stuffing only provided them with .1 of users’ accounts. From this, they were then able to view customers who were enrolled in DNA Relatives.
Anyone enrolled in the DNA Relatives program has the ability to see relatives and significant information of DNA information, Zip Code, Birth Year, Family Member Names, and other general information.
The data can cause many to be worried as the hackers can use it to their benefit, posing as these users in the near future.
23andMe doesn’t expect a financial fallout from the incident. It’s only expected that they lose a one-time fee of $1-2 million in expenses.