23andMe has confirmed to BleepingComputer that it is aware of user data from its platform circulating on hacker forums and attributes the leak to a credential-stuffing attack.
23andMe is a U.S. biotechnology and genomics firm offering genetic testing services to customers who send a saliva sample to its labs and get back an ancestry and genetic predispositions report.
Recently, a threat actor leaked samples of data that was allegedly stolen from a genetics firm and, a few days later, offered to sell data packs belonging to 23andMe customers.
Source: BleepingComputer
The initial data leak was limited, with the threat actor releasing 1 million lines of data for Ashkenazi people. However, on October 4, the threat actor offered to sell data profiles in bulk for $1-$10 per 23andMe account, depending on how many were purchased.
Source: BleepingComputer
A 23andMe spokesperson confirmed the data is legitimate and told BleepingComputer that the threat actors used exposed credentials from other breaches to access 23andMe accounts and steal the sensitive data.
"We were made aware that certain 23andMe customer profile information was compiled through access to individual 23andMe.com accounts," stated 23andMe's spokesperson
"We do not have any indication at this time that there has been a data security incident within our systems."
"Rather, the preliminary results of this investigation suggest that the login credentials used in these access attempts may have been gathered by a threat actor from data leaked during incidents involving other online platforms where users have recycled login credentials."
The information that has been exposed from this incident includes full names, usernames, profile photos, sex, date of birth, genetic ancestry results, and geographical location.
BleepingComputer has also learned that the number of accounts sold by the cybercriminal does not reflect the number of 23andMe accounts breached using exposed credentials.
The compromised accounts had opted into the platform's 'DNA Relatives' feature, which allows users to find genetic relatives and connect with them.
The threat actor accessed a small number of 23andMe accounts and then scraped the data of their DNA Relative matches, which shows how opting into a feature can have unexpected privacy consequences.
23andMe told BleepingComputer that the platform offers two-factor authentication as an additional account protection measure and encourages all users to enable it.
Users should refrain from reusing passwords and consistently employ strong, distinct credentials for every online account they have.
Comments
rabidR04CH - 8 months ago
Congratulations, idiots. You willingly gave them your DNA even after we warned you this kind of thing would happen.
rdiazjry2k - 8 months ago
Oh f off and stop blaming people for being so interested in their lineage and ancestral composition and makeup. It's such a fascinating and interesting subject and you can't fault people for being interested in it.
technout - 8 months ago
But using the same password for DNA genetic information is not the smartest thing to do.. people should be more aware of the dangers of reusing the same passwords for important websites. And use two factor authentication!
1ST1 - 8 months ago
Millions of lines from hundreds of thousands accounts by credential stuffing? Sorry, I don't believe that. In that case someone should have tried trillions of breeched user+passwords to get 100.000 successfull logins, maybe from single IP source. Their monitoring should have detected and blocked this. Or the attacker has stolen these credentials from them, or the attacker has a kind of admin/supervisor access to their database.
Icepop33 - 8 months ago
It's possible the dark web OP hasn't actually harvested that many accounts, but it looks good for them to pretend they have. That aside, 23andMe try to mitigate your suspicions by mentioning the "DNA Relatives" feature. While it's true these types of features act as viral media vectors in themselves, I'm not buying it either. It doesn't add up, and I believe they are as full of **it as you do.
Archahazi - 8 months ago
Any chance Google SSO could have been used to accelerate the breach count? My business now uses google sso with white listed third parties. It didn't do so before.