from the TOS-violation dept.
Records reportedly belong to millions of users who opted in to a relative-search feature:
Genetic profiling service 23andMe has commenced an investigation after private user data was been scraped off its website
Friday's confirmation comes five days after an unknown entity took to an online crime forum to advertise the sale of private information for millions of 23andMe users. The forum posts claimed that the stolen data included origin estimation, phenotype, health information, photos, and identification data. The posts claimed that 23andMe's CEO was aware the company had been "hacked" two months earlier and never revealed the incident. In a statement emailed after this post went live, a 23andMe representative said "nothing they have posted publicly indicates they actually have any 'health information.' These are all unsubstantiated claims at this point."
23andMe officials on Friday confirmed that private data for some of its users is, in fact, up for sale. The cause of the leak, the officials said, is data scraping, a technique that essentially reassembles large amounts of data by systematically extracting smaller amounts of information available to individual users of a service. Attackers gained unauthorized access to the individual 23andMe accounts, all of which had been configured by the user to opt in to a DNA relative feature that allows them to find potential relatives.
[...] The DNA relative feature allows users who opt in to view basic profile information of others who also allow their profiles to be visible to DNA Relative participants, a spokesperson said. If the DNA of one opting-in user matches another, each gets to access the other's ancestry information.
[...] The Record also reported that 23andMe website allows people who know the profile ID of a user to view that user's profile photo, name, birth year, and location. The 23andMe representative said that "anyone who a 23andMe account who has opted into DNA Relatives can view basic profile information of any other account who has also explicitly optend into making their profile visible to other DNA Relative participants."
[...] While there are benefits to storing genetic information online so people can trace their heritage and track down relatives, there are clear privacy threats. Even if a user chooses a strong password and uses two-factor authentication as 23andMe has long urged, their data can still be swept up in scraping incidents like the one recently confirmed. The only sure way to protect it from online theft is to not store it there in the first place.