One of the best-known companies related to genetic analysis and helping users trace their online family trees has admitted to having suffered a cyberattack. And the worst of all is that it has gone on for several months until they discovered it. The haemorrhage of stolen data has been terrible.
There are many services that offer the opportunity to analyze a genetic sample of users to discover their origins and, at the same time, find unknown relatives. It’s something curious and fun. Millions of people have used this type of service and, surely, they have never considered the negative part of what it could mean. But after this attack, something may change.
Stealing data for months
The victim of the cyberattack has been 23andMe, which, along with other names such as MyHeritage or Ancestry, is one of the main entities in this market. As they have acknowledged, they began to suffer the cyberattack in April of last year and did not discover what was happening until some time later. The hackers carried out a strategy based on the brute force technique, which consists of the attackers trying millions of passwords of registered user names until they access them.
In many cases there were accounts that they could not unlock, but the final figure of compromised access, which reaches 6.9 million users, makes it clear that they got away with it. Taking into account the global record data that the platform has, it is concluded that the profile leak occurred in around half of its clients.
A failed security system
Worst of all, 23andMe didn’t discover the cyberattack because its security specialists detected it or because they saw that something didn’t add up. In reality, they made the discovery already in October, when the hackers had stopped attacking their website and had gone to the point where they were marketing the data package on Deep Web forums where they tried to make a profit.
The investigation carried out afterwards has allowed us to know, among other things, how the hackers acted. The first point of contact with the website was carried out using 14,000 23andMe user accounts that were easily hacked because the passwords had been leaked in other previous security breaches. They simply had to cross email addresses and passwords to access these fourteen thousand accounts. They then took advantage of the DNA Relatives function to break the platform’s defenses and access the millions of data that we have indicated.
This function links and shares personal information between users and their family members, so the first people hacked, in a way, led to the users linked to their DNA also ending up suffering the cyberattack. All of this ended up causing data such as name, surname, family relationships, genetic information or even location to end up in the hands of hackers. And, as we have said, you can already see that his intention was to sell them. From there, it is impossible to know what the intentions of the people who obtain this data package from millions of users will be. But considering the genetic information included and other details that should be confidential, it is worrying to think about what they can do with it.
Another bad news is that, as we read in TechCrunch, 23andMe does not seem to have acted in the most responsible way possible after what happened. They have tried to combat the lawsuits from users that have been filed against them by blaming those who were registered on their page, arguing things such as that they had reused passwords in different services. And while it is true that this is something that should be avoided by all means, we must not forget that it was the platform that proved to have a very ineffective security system. In general, as we said before, it is something that makes us lose a little confidence in this type of services that, to tell the truth, had always caused us a lot of interest.
