Genetics firm 23andMe has acknowledged that user data from its platform has been compromised and is circulating on hacker forums. The company attributes the data leak to a credential-stuffing attack, reports Bleeping Computer.
A spokesperson for 23andMe confirmed the legitimacy of the data and stated, “We were made aware that certain 23andMe customer profile information was compiled through access to individual 23andMe.com accounts.”
The company clarified that there is no indication of a data security incident within their own systems. “Rather, the preliminary results of this investigation suggest that the login credentials used in these access attempts may have been gathered by a threat actor from data leaked during incidents involving other online platforms where users have recycled login credentials.”
The initial leak involved 1 million lines of data for Ashkenazi people. On October 4, the threat actor began offering to sell data profiles in bulk, ranging from $1 to $10 per 23andMe account, depending on the volume purchased. The exposed information includes full names, usernames, profile photos, sex, date of birth, genetic ancestry results, and geographical locations.
The compromised accounts had opted into 23andMe’s ‘DNA Relatives’ feature, allowing the threat actor to scrape data of their DNA Relative matches. This incident highlights the potential privacy risks associated with such features.
23andMe encourages users to enable two-factor authentication for additional account protection and advises against reusing passwords across multiple online platforms.
