Genetics company 23andMe says user data stolen in credential stuffing attack | spcilvly


23andMe has confirmed to BleepingComputer that it is aware that user data on its platform is circulating on hacker forums and attributes the leak to a credential stuffing attack.

23andMe is an American biotechnology and genomics company that offers genetic testing services to customers who send a saliva sample to its laboratories and receive a report of ancestry and genetic predispositions.

Recently, a threat actor leaked data samples allegedly stolen from a genetics company and, a few days later, offered to sell data packages belonging to 23andMe customers.

Initial genetic data leak
Initial genetic data leak
Source: BleepingComputer

The initial data breach was limited: the threat actor released 1 million lines of data from the Ashkenazi people. However, on October 4, the threat actor offered to sell data profiles in bulk for between $1 and $10 per 23andMe account, depending on how many were purchased.

Mass sale of stolen genetic data profiles
Mass sale of stolen genetic data profiles
Source: BleepingComputer

A 23andMe spokesperson confirmed that the data is legitimate and told BleepingComputer that the threat actors used exposed credentials from other breaches to access 23andMe accounts and steal sensitive data.

“We were informed that certain 23andMe customer profile information was collected through access to individual accounts,” the 23andMe spokesperson said.

“We have no indication at this time that there has been a data security incident within our systems.”

“Rather, preliminary results from this investigation suggest that the login credentials used in these access attempts may have been collected by a threat actor from data leaked during incidents involving other online platforms where users have “recycled login credentials.”

Information that has been exposed from this incident includes full names, usernames, profile photos, gender, date of birth, genetic ancestry results, and geographic location.

BleepingComputer also learned that the number of accounts sold by the cybercriminal does not reflect the number of 23andMe accounts breached using exposed credentials.

The compromised accounts had opted into the platform’s ‘DNA Relatives’ feature, which allows users to find and connect with genetic relatives.

The threat actor accessed a small number of 23andMe accounts and then extracted data from their relative DNA matches, showing how opting out of a feature can have unexpected privacy consequences.

23andMe told BleepingComputer that the platform offers two-factor authentication as an additional measure of account protection and encourages all users to enable it.

Users should refrain from reusing passwords and consistently use secure, distinct credentials for each online account they have.

Leave a Reply

Your email address will not be published. Required fields are marked *