The U.S. biotech firm 23andMe has confirmed that user data has been leaked and is now being circulated on hacker forums. The company believes that a credential-stuffing attack is responsible for the data leak.
23andMe user data offered for sale
Recently, 1 million lines of data specific to Ashkenazi individuals were found circulating on hacker forums. On October 4, the cybercriminal who leaked the user data from 23andMe started offering to sell individual profile datasets for $1-$10 each, with the price depending on the number of datasets purchased.
23andMe has confirmed the authenticity of the data to BleepingComputer and suggested that hackers likely used credentials leaked from breaches on other platforms. They stated, “We don’t see evidence of a security incident within our systems.” The information exposed in this data leak allegedly includes users’ names, locations, birthdays, sex, photos, and genetic ancestry results.
BleepingComputer’s investigation revealed that the number of sold accounts does not currently match the total number of breached 23andMe accounts. The breached accounts had activated 23andMe’s DNA Relatives feature, allowing the hacker to scrape data from the users’ networks of DNA Relative matches.
ReadWrite has requested further details on the investigation from 23andMe. Users are advised to follow proper digital hygiene by avoiding reusing account credentials across websites, using strong passwords, and enabling two-factor authentication whenever possible. Despite 23andMe’s recommendation to use 2fa security, this recent data breach highlights vulnerabilities in networking features like DNA Relatives.
