U.S. biotech firm 23andMe’s user data was leaked and is now circulating on hacker forums. 23andMe confirmed the data leak’s authenticity to BleepingComputer and says it believes a credential-stuffing attack is to blame.
23andMe user data offered for sale
A few days ago, 1 million lines of data specific to Ashkenazi individuals began circulating on hacker forums. Then, on Oct. 4, the cybercriminal who had leaked the user-data sample purportedly stolen from 23andMe began offering to sell individual profile datasets for $1-$10 each, with the price varying based on the number of datasets purchased.
23andMe has now confirmed the authenticity of the data to BleepingComputer. A spokesperson indicated that hackers likely used credentials leaked from breaches on other platforms. “We don’t see evidence of a security incident within our systems,” they added.
The information exposed in 23andMe’s user data leak allegedly includes users’ names, locations, birthdays, sex, photos, and genetic ancestry results. BleepingComputer’s own investigation found that the number of sold accounts doesn’t currently match the total number of breached 23andMe accounts.
BleepingComputer noted the breached accounts had activated 23andMe’s DNA Relatives feature, which lets users discover and connect with genetic relatives). Initially accessing only a limited number of accounts, the hacker could then scrape data from the users’ networks of DNA Relative matches.
ReadWrite has not yet independently confirmed these statements but has requested further details on the investigation from 23andMe. Nevertheless, users should always follow proper digital hygiene by never repeating account credentials across websites, using strong passwords, and enabling two-factor authentication when possible. Even though 23andMe offers and recommends using 2fa security, this recent data breach also suggests that networking features like DNA Relatives are yet another vulnerability.