The 23andMe genetic company has confirmed on Friday that there has been a data leak impacting some of its customers. Although the company’s systems remained secure, the attackers were able to gain access to data by guessing the login and passwords of a specific group of users. They then utilized the DNA Relatives function to extract information. It is important to note that users themselves decide to share their data through this function.
This week, hackers have posted a data sample on the BreachForums platform, claiming that it contains information about a million Ashkenazi Jews. Additionally, hundreds of thousands of users of Chinese origin have also been affected by this data leak. On Wednesday, the attackers began selling 23andMe profiles for prices ranging from $1 to $10, depending on the quantity. The data being sold includes the individuals’ names, gender, year of birth, and certain details of their genetic analysis.
In its official statement, 23andMe emphasized that there were no compromises in its systems. The company also recommended its users to choose strong and unique passwords, as well as activate two-factor authentication.
The company further stated, “It has been discovered that some data of 23andMe customers were obtained through access to their personal accounts on 23andme.com.”
While the company did not explicitly confirm the data leak, it mentioned that its investigation is still ongoing. A company representative stated that the information leak aligns with the situation where certain user accounts were compromised.
The technique of using accounting data obtained from previous data leaks to gain unauthorized access to accounts where the same logins were reused is commonly known as “Credential Stuffing.”
The exact motives behind the data theft, the number of additional attackers, and whether they specifically targeted Ashkenazi Jews are still unclear.