- User data from 23andMe accounts has been leaked and put up for sale on a dark web forum.
- Hackers likely gathered the data with leaked customer credentials for other platforms and services.
- A 23andMe spokesperson said there’s no indication there was data security in its systems.
Hackers claiming to have access to the names, photos, birth details, and ethnicities of potentially millions of 23andMe customers are peddling the information on the dark web for thousands of dollars.
The data appears to have been gathered from user credentials that were exposed in prior data breaches, and the company’s security systems have not been breached, according to 23andMe.
“The preliminary results of this investigation suggest that the login credentials used in these access attempts may have been gathered by a threat actor from data leaked during incidents involving other online platforms where users have recycled login credentials,” a spokesperson for the company told Insider. In other words, the hackers plugged in leaked username-password combinations into 23andMe accounts in a technique known as “credential stuffing.”
The company first became aware of the attack in a post on Reddit that appears to have been removed by the platform. Since then, hackers have taken to hawking the data on the cybercrime marketplace, BreachForums.
One anonymous seller advertised the data on BreachForums earlier this week as containing “DNA profiles of millions, ranging from the world’s top business magnates to dynasties often whispered about in conspiracy theories,” and noted that each set of data also came with “corresponding email addresses,” based on a repost of the ad on X. The data reportedly contains entries for tech execs like Mark Zuckerberg, Sergey Brin, and Elon Musk, according to Wired. The company is helmed by Anne Wojcicki — sister of former YouTube CEO Susan Wojcicki and ex-wife of Sergey Brin.
And the seller offered profile bundles starting at $1000 for 100 profiles going all the way up to $100,000 for 100,000 profiles, noting that for each bulk purchase of 10,000 they’d offer the flexibility of incremental payments.
Another post on BreachForums, also reposted to X, noted that the data contained “half of the members of 23andMe.” The company, which has a total 14 million users, has yet to confirm the number of compromised user accounts and also noted that no raw genetic data was shared.
Based on the results of its preliminary investigation, the company believes the hackers gained access to a much smaller number of user accounts, but managed to scrape the data of several other 23andMe users through a feature called DNA Relatives. The feature allows users to connect with and see information about other users they shared a “recent ancestor” with — which they define as less than nine generations back on their website.
23andMe also did not confirm whether the attack was directed toward any particular ethnic group. A post on BreachForums from earlier this week touted the data sample as “1 million Ashkenazi database” though an individual could be classified as Ashkenazi Jew even with just 1% Jewish ancestry, according to the company. Those with European or Ashkenazi ancestry are likely to have many matches via the DNA Relatives feature compared to people with Asian or Middle Eastern ancestry, 23andMe also notes on its website. There may also be “hundreds of thousands of users of Chinese descent” impacted by the leak,” Wired reported.
23andMe, which was founded in 2006, made waves for its saliva tests which could test for genetic predispositions, ancestry, and inherited traits. The company — which shares anonymized user data with their consent with third parties — is encouraging users to enable multi-factor authentication to prevent further attacks.
Leave a comment