23andMe: Hackers had access to customer data for months

The commercial DNA database 23andMe has provided more information about the data breach at the end of last year. According to the company, hackers started the attacks in May of last year to obtain customer data. Those attacks reportedly lasted through September.

23andMe has in a letter provided more information about the data breach to the Attorney General of the American state of California. The board of the commercial DNA database writes that hackers carried out a credential stuffing attack from May of last year until September that targeted 23andMe users. In such an attack, hackers use leaked data of Internet users to gain access to the accounts of the same people on other platforms. It is not clear whether 23andMe had observed any suspicious activity on its servers during this period.

Previous reporting shows that the hackers were able to capture information from approximately 14,000 customers. That’s about 0.1 percent of 23andMe’s customer base. This concerns information about the family tree, but in some cases also health information based on the DNA analysis of the relevant users. The hackers are also said to have captured information about related accounts.

23andMe is an American company that has managed a commercial DNA database since 2006 and can provide customers with information about their origins, physical characteristics and risk of genetic disorders. Customers who want to use 23andMe’s services must send saliva to the company in a tube. In October of last year it was announced that a data breach had occurred at the company.