Tag Archives: 23andMe

23andMe Says Is Aware Of User Data Leak



Hacker by Toqfiqu barbhuiya on Unsplash small23andMe has confirmed to BleepingComputer that it is aware of user data from its platform circulating on hacker forums and attributes the leak to a credential-stuffing attack, Bleeping Computer reported.

23andMe is a U.S. biotechnology and genomics firm offering genetic testing services to customers who send a saliva sample to its labs and get back an ancestry and genetic predispositions report.

Recently, a threat actor leaked samples of data that was allegedly stolen from a genetics firm and, a few days later, offered to sell data packs belonging to 23andMe customers.

The initial attack was limited, with the threat actor releasing 1 million lines of data for Ashkenazi people. However, on October 4, the threat actor offered to sell data profiles in bulk for $1-$10 per 23andMe account, depending on how many were purchased.

A23andMe spokesperson confirmed that the data is legitimate and told BleepingComputer that the threat actors used exposed credentials from other breaches to access 23andMe accounts and steal the sensitive data.

“We were made aware that certain 23andMe customer profile information was compiled through access to individual 23andMe.com accounts, stated 23andMe’s spokesperson.

“We do not have any indication at this time that there has been a data security incident within our systems.”

“Rather, the preliminary results of this investigation suggest that the login credentials used in these access attempts may have been gathered by a threat actor from data leaked during incidents involving other online platforms where users have recycled login credentials.”

The Record reported a data scraping incident resulted in hackers gaining access to sensitive user information and selling it on the dark web.

The information of nearly 7 million 23andMe users was offered for sale on a cybercriminal forum this week. The information included origin estimation, phenotype, health information, photos, identification data and more. 23andMe processes saliva samples submitted by customers to determine their ancestry.

The company later said that it was aware that certain 23andMe customer profile information was complied through unauthorized access to individual accounts that were signed up for the DNA Relative feature – which allows users to opt in for the company to show them potential matches for relatives.

According to The Record, a researcher downloaded two files from the BreachForums post and found one that had information on 1 million 23andMe users of Ashkenazi heritage. The other file included data on more than 300,000 users of Chinese heritage.

The data included profile and account ID numbers, names, gender, birth year, maternal and paternal genetic markers, ancestral heritage results, and data on whether or not each user had opted into 23andMe’s health data.

Engadget reported a data scraping incident resulted in hackers gaining access to sensitive user information and selling it on the dark web.

The information of nearly 7 million 23andMe users was offered for sale on a cybercriminal forum this week. The information included origin estimation, phenotype, health information, photos, identification data and more. 23andMe processes saliva samples submitted by customers to determine their ancestry.

The company later said that it was aware that certain 23andMe customer profile information was complied through unauthorized access to individual accounts that were signed up for the DNA Relative feature – which allows users to opt in for the company to show them potential matches for relatives.

According to The Record, a researcher downloaded two files from the BreachForums post and found one that had information on 1 million 23andMe users of Ashkenazi heritage. The other file included data on more than 300,000 users of Chinese heritage.

The data included profile and account ID numbers, names, gender, birth year, maternal and paternal genetic markers, ancestral heritage results, and data on whether or not each user had opted into 23andMe’s health data.

Personally, I don’t have any interest in submitting my DNA to any genetics company. That said, I find it extremely troubling that the hackers sought out data from Ashkenazi people and people of Chinese heritage who used 23andMe.