Biotech company , known for its DNA testing kits, confirmed to that its user data is circulating on hacker forums. The company said the leak occurred through a credential-stuffing attack.
A credential-stuffing attack involves user information that has already been compromised (usernames and passwords, for example) from one organization, which a hacker obtains and attempts to reuse with a second organization — in this case, 23andMe. Because of the nature of credential-stuffing, it does not appear this was a breach of the company’s internal systems. Rather, accounts were broken into piecemeal. The perpetrators of this attack appear to have obtained quite sensitive information from the compromised accounts (genetic testing results, photos, full names and geographical location, among other things).
The initial leak comprised “1 million lines of data for Ashkenazi people,” to BleepingComputer. By October 4, data was being offered for sale in bulk, in increments of 100, 1,000, 10,000 or 100,000 profiles. The scale of the attack is as yet unknown, but the scope of its impact has likely been exacerbated by 23andMe’s ‘DNA Relatives’ feature. “Relatives are identified by comparing your DNA with the DNA of other 23andMe members who are participating in the DNA Relatives feature,” the company . After accessing an unknown number of profiles via credential-stuffing, the threat actor behind this breach apparently scraped the ‘DNA Relatives’ results for those profiles, netting much more sensitive data. According to the same FAQ page, “The number of relatives listed [..] grows over time as more people join 23andMe.” For the fiscal year 2023, the company it “genotyped” around 14 million customers.
Ever since 23andMe went public in 2021, the company has for its data protection practices — rightly so, since it deals with sensitive medical data derived from saliva sampling, including predispositions for diseases like Alzheimer’s, Type 2 diabetes and even . On its website the it “exceeds” data protection standards for its industry.
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.