23andMe has confirmed to BleepingComputer that it’s conscious of consumer knowledge from its platform circulating on hacker boards and attributes the leak to a credential-stuffing assault.
23andMe is a U.S. biotechnology and genomics agency providing genetic testing providers to prospects who ship a saliva pattern to its labs and get again an ancestry and genetic predispositions report.
Just lately, a menace actor leaked samples of knowledge that was allegedly stolen from a genetics agency and, just a few days later, provided to promote knowledge packs belonging to 23andMe prospects.
Supply: BleepingComputer
The preliminary knowledge leak was restricted, with the menace actor releasing 1 million strains of knowledge for Ashkenazi folks. Nonetheless, on October 4, the menace actor provided to promote knowledge profiles in bulk for $1-$10 per 23andMe account, relying on what number of had been bought.
Supply: BleepingComputer
A 23andMe spokesperson confirmed the information is professional and advised BleepingComputer that the menace actors used uncovered credentials from different breaches to entry 23andMe accounts and steal the delicate knowledge.
“We had been made conscious that sure 23andMe buyer profile data was compiled by entry to particular person 23andMe.com accounts,” said 23andMe’s spokesperson
“We do not need any indication presently that there was a knowledge safety incident inside our programs.”
“Quite, the preliminary outcomes of this investigation counsel that the login credentials utilized in these entry makes an attempt could have been gathered by a menace actor from knowledge leaked throughout incidents involving different on-line platforms the place customers have recycled login credentials.”
The knowledge that has been uncovered from this incident consists of full names, usernames, profile pictures, intercourse, date of beginning, genetic ancestry outcomes, and geographical location.
BleepingComputer has additionally realized that the variety of accounts bought by the cybercriminal doesn’t replicate the variety of 23andMe accounts breached utilizing uncovered credentials.
The compromised accounts had opted into the platform’s ‘DNA Family’ function, which permits customers to seek out genetic relations and join with them.
The menace actor accessed a small variety of 23andMe accounts after which scraped the information of their DNA Relative matches, which reveals how opting right into a function can have sudden privateness penalties.
23andMe advised BleepingComputer that the platform affords two-factor authentication as a further account safety measure and encourages all customers to allow it.
Customers ought to chorus from reusing passwords and persistently make use of robust, distinct credentials for each on-line account they’ve.
