Genomics firm 23andMe investigates theft of sensitive customer data

Attackers stole personal data by guessing login credentials

Genetics firm 23andMe has initiated an investigation into an incident in which hackers leaked a substantial list of individuals with Ashkenazi Jewish ancestry, obtained without their consent from individual accounts on the platform.

The company claimed its systems remained uncompromised, and that the attackers acquired the data by guessing login credentials for a specific group of users.

Subsequently, they scraped additional information from a feature called DNA Relatives. This particular feature enables any account holder to search for potential genetic matches, regardless of how distant they may be. Users have the option to voluntarily share their information through DNA Relatives for others to access.

23andMe is a biotechnology and genomics firm based in the US. It provides popular genetic testing services to customers who submit a saliva sample to their laboratories, receiving in return a comprehensive report on their ancestry and genetic predispositions.

"We recently learned that certain 23andMe customer profile information that they opted into sharing through our DNA Relatives feature, was compiled from individual 23andMe.com accounts without the account users' authorisation," the firm stated in a post on its website.

"After learning of suspicious activity, we immediately began an investigation. While we are continuing to investigate this matter, we believe threat actors were able to access certain accounts in instances where users recycled login credentials - that is, usernames and passwords that were used on 23andMe.com were the same as those used on other websites that have been previously hacked."

In the initial data leak, the threat actor published one million lines of data specifically pertaining to individuals of Ashkenazi Jewish descent on dark-web site BreachForums. Later, on 4th October, the threat actor offered to sell data profiles in bulk at prices ranging from $1 to $10 per 23andMe account, depending on the quantity purchased.

The data exposed in this incident comprises complete names, usernames, profile pictures, gender, date of birth and geographic location. Additionally, it includes genetic ancestry information, such as individuals being identified as "broadly European" or "broadly Arabian" in descent.

Credential stuffing technique is widely used by hackers for compromising user accounts. It enables them to infiltrate accounts by exploiting credentials that have been exposed in previous data breaches, especially when those same login credentials are reused.

The company is now urging its customers to take proactive measures to enhance the security of their accounts and passwords.

"Confirm you have a strong password, one that is not easy to guess and that is unique to your 23andMe account," it says.

Users are also being strongly recommended to enable multifactor authentication (MFA) for their 23andMe accounts.

"Review our Privacy and Security Checkup page with additional information on how to keep your account secure," 23andMe urged.