Biotech company 23andMe, renowned for its DNA testing kits, has recently confirmed that its user data is circulating on hacker forums. The company revealed that the leak was a result of a credential-stuffing attack, where hackers utilize compromised user information from one organization to gain unauthorized access to another organization’s systems, in this case, 23andMe.
It is important to note that this incident does not appear to be a breach of 23andMe’s internal systems. Instead, the attackers gained access to accounts by piecing together compromised usernames and passwords. The compromised accounts contained sensitive information such as photos, full names, geographical locations, and more.
A spokesperson from 23andMe stated, “Thus far, our investigation has found that no genetic testing results have been leaked.” This provides some reassurance to users concerned about the privacy and security of their genetic information.
Upon discovering the suspicious activity, 23andMe immediately initiated an investigation. The initial leak reportedly consisted of “1 million lines of data for Ashkenazi people.” As of October 4, the data was being offered for sale in bulk, with options to purchase 100, 1,000, 10,000, or 100,000 profiles.
The full scale of the attack is still unknown, but the impact is likely to be significant due to 23andMe’s “DNA Relatives” feature. This feature allows users to identify and connect with other 23andMe members who share genetic similarities. Unfortunately, the threat actor behind this breach appears to have scraped the “DNA Relatives” results for the compromised profiles, resulting in the exposure of even more sensitive data.
According to 23andMe, the number of relatives listed in the “DNA Relatives” feature grows over time as more people join the platform. For the fiscal year 2023, the company reported that it had “genotyped” approximately 14 million customers. This highlights the potential impact of the data leak and the need for swift action to mitigate any further damage.
Since going public in 2021, 23andMe has faced increased scrutiny regarding its data protection practices. This is understandable considering the company deals with highly sensitive medical data derived from saliva samples, including information about predispositions for diseases such as Alzheimer’s, Type 2 diabetes, and cancer.
On its website, 23andMe claims to exceed data protection standards within the industry. However, this incident serves as a reminder that even companies with robust security measures in place can fall victim to sophisticated cyberattacks. It emphasizes the importance of constant vigilance and ongoing efforts to strengthen data protection practices.
As the investigation into the data leak continues, 23andMe is undoubtedly working diligently to address the issue, protect its users, and prevent any further unauthorized access to sensitive information. Users are advised to remain cautious and vigilant, monitoring their accounts for any suspicious activity and promptly reporting any concerns to 23andMe.
While the full extent of the impact is yet to be determined, it is crucial for individuals to understand the potential risks associated with sharing personal and genetic information online. As technology advances, it is essential for both companies and users to prioritize and invest in robust cybersecurity measures to safeguard sensitive data.