Biotechnology company 23andMe, renowned for its DNA testing kits, has confirmed that user data is currently circulating on hacker forums. This alarming breach resulted from a credential-stuffing attack, according to the company’s statement.
A credential-stuffing attack is a technique where compromised user information, including usernames and passwords from one organization, is obtained by hackers and then reused in attempts to access another organization’s systems—in this case, 23andMe. It’s important to note that this does not appear to be a breach of 23andMe’s internal systems but rather unauthorized access to individual accounts. The attackers behind this incident managed to obtain sensitive information from the compromised accounts, including genetic testing results, photos, full names, and geographical locations, among other data.
The initial leak reportedly included “1 million lines of data for Ashkenazi people,” as reported by BleepingComputer. By October 4th, this data was being offered for sale in bulk, with options to purchase increments of 100, 1,000, 10,000, or 100,000 profiles. The full extent of this attack is still unknown, but its impact has likely been amplified by 23andMe’s ‘DNA Relatives’ feature.
The ‘DNA Relatives’ feature is a key aspect that may have exposed more sensitive data. It identifies relatives by comparing the DNA of users with that of other 23andMe members who participate in the feature. After gaining unauthorized access to a certain number of profiles through credential-stuffing, the threat actor behind this breach appears to have extracted ‘DNA Relatives’ results for those profiles, obtaining significantly more sensitive information. The company stated in a FAQ page that “The number of relatives listed […] grows over time as more people join 23andMe.” For the fiscal year 2023, 23andMe reported that it “genotyped” around 14 million customers.
Since going public in 2021, 23andMe has faced increased scrutiny regarding its data protection practices. This scrutiny is warranted because the company deals with highly sensitive medical data derived from saliva samples, including information about predispositions to diseases like Alzheimer’s, Type 2 diabetes, and even cancer. On its website, 23andMe claims to “exceed” data protection standards within its industry. However, this recent data security incident raises questions about the safeguarding of sensitive genetic information.
