Kinetic: 23andMe

When we talk about data security, we often revolve around the idea of protecting our credit cards, our social security numbers, and so much more that relates to, usually, a financial identity, with a close second being our medical data.

More so, when we bring to light the idea that ‘we' are the breached data, it seems a bit outlandish, yet here we are. In the last twenty-four hours, leaks were posted on the popular Breached Forums detailing that data from 23andMe had been leaked, with the company later confirming that there was a leak, but their systems weren’t breached. According to WIRED, the suspected avenue of attack is obtained credentials that lead the attacker(s) to find accounts that had access to the DNA Relatives feature of the site. This feature lets users find individuals with familial genes and estimate how ‘far’ they are regarding a relationship (sibling, parent, aunts and uncles, cousins, etc.)

While it’s too early to tell what really was lost and how it happened (and it seems 23andMe isn’t immediately being forthright in their disclosure), it’s easy to speculate the idea of what this hack can do.

It’s no secret that racial bias and stereotypes are alive and well today. Further diving into it, we immediately discovered that the ‘free sample’ list of data was released on those with Ashkenazi Jewish heritage, with over a million entries. There are additional unconfirmed rumors that a list of Chinese descendants has also leaked.

The Kinetic Impact

With breaches like this, we have the unfortunate exposure of not just who we are but what we are, too. For those who wish to target minorities, a breach like this immediately makes it far more straightforward. By geolocating individuals based on their general ethnicities, kinetic effects immediately become realizable. Now, someone can take this data and find population centers with a high density of a target race and then commit whatever facet of damage they intend to do.

In addition, it also allows the cyber-targeting of minorities as well. This kind of exposure also leaked birthdays and emails, allowing more savvy attackers to skim previous breaches and narrow in on targets they want to inflict damage upon. News has already spread on attackers using these lists to go and scrape other breach databases with leaked passwords, then attempting to leverage them against their accounts on other systems. Now, is all of this intended to target minorities? No, but the enabling of it is written on the wall.

On a nation-state scale, this also poses a problem. If you’ve also listened to the news over the past few weeks, you know that countries like the U.S. and China are amassing massive genome mappings by collecting data roughly between 5% to 10% of their respective populations. This kind of data collection isn’t much at the moment. Still, it poses significant privacy risks for individuals as it expands, which could lead to warrantless DNA samples being obtained and used. Unfortunately, the threat isn’t just from the U.S. Earlier this year, information was released on how the Chinese Communist Party (CCP) was infiltrating the U.S. and standing up illegal police forces to target Chinese citizens, specifically fugitives and refugees of China. This kind of breach could also lead to future international targeting, as the CCP has a history of not forgiving and not forgetting.

Finally, medical privacy is another big concern. Insurance companies aren’t the most well-received companies in the U.S. However, with this kind of data being released to the wild, insurance companies could use it to get unauthorized access to your genetic data, prune it for markers that place you at certain medical risks and illnesses, and then begin to deny coverage for those related items. This is most likely the most dystopian speculation of the article, but it is still valid as healthcare continues to be a massive point of contention for Americans everywhere.

Protecting Yourself

If you’re looking for an easy solution here, I would like to apologize cause I don’t have one. The data is out there now, and if you used the service, you might as well assume it’s part of the millions of records. Instead, you should look to be proactive in ensuring you continue to use unique passwords for all your sites (password managers are helpful), as being a victim of these kinds of attacks usually always starts with correlating account data between the new and old breaches and trying to break into high-reward accounts like your banks and social media.

Secondly, ensuring you manage your consent works wonders. In this case, it is suspected that the only victims were those enrolled in ‘DNA Relatives,’ which you would opt into (along with their four other consent options.)

Finally, ensure you know the scams and falsehoods that can come from these kinds of breaches. At some point, almost every victim will become a target of a phishing email, an SMS Phishing text, or a Vishing phone call. In a worst-case scenario, you have some fake police officers knocking on your door asking about your ethnicity and if you think a particular national government is something you support. Never Trust, Always Verify is an excellent motto to live by, and if you suddenly get a notification that your [XYZ] Account has been [Locked/Suspended/Disabled], never click on the link, don’t pick up the phone; instead just go to the site and try and log in. If it doesn’t work, you can recover your account right then and there and move on with your life, knowing you probably dodged a bullet.

In the worst-case scenario, if you feel your life is in danger, please get in touch with the appropriate emergency line (like 911).

Stay safe out there!

Additional Reading

23andMe Cyberbreach Exposes DNA Data, Potential Family Ties (darkreading.com)

Genetics firm 23andMe says user data stolen in credential stuffing attack (bleepingcomputer.com)

23andMe is investigating suspected leak of private user information (axios.com)

23andMe says private user data is up for sale after being scraped | Ars Technica

Addressing Data Security Concerns - 23andMe Blog

Edits

10/7/2023 @ 0037 EST: A corrected earlier version stated, ‘the U.S. and China are amassing massive genome mappings by collecting data of up to around 5% of their respective populations.’ A link has been provided to the source.