Shiona McCallum & Joe Tidy writing for the BBC: 23andMe: Profiles of 6.9 million people hacked

The biotechnology company, which is based in South San Francisco, was not hacked itself but cyber-criminals logged into about 14,000 individual accounts, or 0.1% of customers, by using email and password details previously exposed in other hacks.

The above is why you should use a password manager and have a different password for every single account. However, the users who had their information stole from 23andMe are largely because 23andMe did a bad job with their own internal security and/or should have put some of their profits to independent auditing of their systems, or if they did - more money towards it. As I’m not a 23andMe user as I don’t trust the company with any information of mine at all, I’m not sure if there are an internal controls that users have available to them as to which other users they link to and what information is shared.

The criminals downloaded not just the data from those accounts but the private information of all other users they had links to across the sprawling family trees on the website.

As a reminder, 23andMe is not a medical company, so it isn’t covered by HIPPA.

From Wired: 23andMe User Data Stolen in Targeted Attack on Ashkenazi Jews

Hackers posted an initial data sample on the platform BreachForums earlier this week, claiming that it contained 1 million data points exclusively about Ashkenazi Jews. There also seem to be hundreds of thousands of users of Chinese descent impacted by the leak. On Wednesday, the actor began selling what it claims are 23andMe profiles for between $1 and $10 per account, depending on the scale of the purchase. The data includes things like a display name, sex, birth year, and some details about genetic ancestry results, like that someone is, say, of “broadly European” or “broadly Arabian” descent. It may also include some more specific geographic ancestry information. The information does not appear to include actual, raw genetic data.

Later in the article:

The company emphasized in a statement that it does not see evidence that its systems have been breached. It also encouraged users to use strong, unique passwords and enable two-factor authentication to keep attackers from compromising their individual accounts using login credentials exposed in other data breaches.
“We were made aware that certain 23andMe customer profile information was compiled through access to individual 23andMe.com accounts,” the company said in a statement. “We believe that the threat actor may have then, in violation of our terms of service, accessed 23andme.com accounts without authorization and obtained information from those accounts.”

The encouragement to use MFA, rings hollow, and furthermore - 23andMe, at any time, can require all of its users use MFA. If it’s that good at securing accounts - enforce it for all users.

Furthermore, this initial response does reinforce what the BBC is reporting that there really wasn’t a “breach” - once someone had a foothold on an account, it appears they were able to spider through associated user accounts to grab everything they have.