Skip to main content
Customer Support Customer Support

Genetics firm 23andMe says user data stolen in credential stuffing attack

  • October 6, 2023
  • 4 replies
  • 29 views
Jasper_The_Rasper
Moderator
Forum|alt.badge.img+54

October 6, 2023 By Bill Toulas 

 

23andMe has confirmed to BleepingComputer that it is aware of user data from its platform circulating on hacker forums and attributes the leak to a credential-stuffing attack.

23andMe is a U.S. biotechnology and genomics firm offering genetic testing services to customers who send a saliva sample to its labs and get back an ancestry and genetic predispositions report.

Recently, a threat actor leaked samples of data that was allegedly stolen from a genetics firm and, a few days later, offered to sell data packs belonging to 23andMe customers.

 

Initial leak of genetic data
Initial leak of genetic data
Source: BleepingComputer

The initial data leak was limited, with the threat actor releasing 1 million lines of data for Ashkenazi people. However, on October 4, the threat actor offered to sell data profiles in bulk for $1-$10 per 23andMe account, depending on how many were purchased.

 

>> Full Article <<

    ProTruckDriver
    Jasper_The_Rasper
    TripleHelix

    4 replies

    Jasper_The_Rasper
    Moderator
    Forum|alt.badge.img+54

    Hacker leaks millions of new 23andMe genetic data profiles

     

    October 18, 2023 By Lawrence Abrams 

     

    A hacker has leaked an additional 4.1 million stolen 23andMe genetic data profiles for people in Great Britain and Germany on a hacking forum.

    Earlier this month, a threat actor leaked the stolen data of 1 million Ashkenazi Jews who used 23andMe services to find their ancestry info and genetic predispositions.

    23andMe told BleepingComputer that this data was obtained through credential stuffing attacks on accounts using weak passwords or credentials exposed in other data breaches. However, the company says there is no evidence of a security incident on their IT systems.

    Initial 23andMe data leak from earlier this month
    Initial 23andMe data leak from earlier this month
    Source: BleepingComputer

    The company says that only a limited number of accounts were breached, but they opted into the 'DNA Relatives' feature, allowing the threat actor to scrape millions of individual's data.

     

    >> Full Article <<

    ProTruckDriver
    Jasper_The_Rasper
    TripleHelix
    TripleHelix
    Moderator
    Forum|alt.badge.img+63
    • TripleHelix
    • Moderator
    • December 2, 2023

    23andMe says hackers accessed ‘significant number’ of files about users’ ancestry

     

    December 1, 2023

     

    a sign outside 23andMe's office in California, featuring the company's office in the background

    Image Credits: David Paul Morris / Bloomberg / Getty Images

    Genetic testing company 23andMe announced on Friday that hackers accessed around 14,000 customer accounts in the company’s recent data breach.

    In a new filing with the U.S. Securities and Exchange Commission published Friday, the company said that, based on its investigation into the incident, it had determined that hackers had accessed 0.1% of its customer base. According to the company’s most recent annual earnings report, 23andMe has “more than 14 million customers worldwide,” which means 0.1% is around 14,000.

    But the company also said that by accessing those accounts, the hackers were also able to access “a significant number of files containing profile information about other users’ ancestry that such users chose to share when opting in to 23andMe’s DNA Relatives feature.”

     

    The company did not specify what that “significant number” of files is, nor how many of these “other users” were impacted.

    23andMe did not immediately respond to a request for comment, which included questions on those numbers.

    In early October, 23andMe disclosed an incident in which hackers had stolen some users’ data using a common technique known as “credential stuffing,” whereby cybercriminals hack into a victim’s account by using a known password, perhaps leaked due to a data breach on another service.

    The damage, however, did not stop with the customers who had their accounts accessed. 23andMe allows users to opt into a feature called DNA Relatives. If a user opts-in to that feature, 23andMe shares some of that user’s information with others. That means that by accessing one victim’s account, hackers were also able to see the personal data of people connected to that initial victim.

     

    23andMe said in the filing that for the initial 14,000 users, the stolen data “generally included ancestry information, and, for a subset of those accounts, health-related information based upon the user’s genetics.” For the other subset of users, 23andMe only said that the hackers stole “profile information” and then posted unspecified “certain information” online.

    TechCrunch analyzed the published sets of stolen data by comparing it to known public genealogy records, including websites published by hobbyists and genealogists. Although the sets of data were formatted differently, they contained some of the same unique user and genetic information that matched genealogy records published online years earlier.

     

    Full Article

    Daniel - Microsoft MVP Consumer Security (2012-2016) Windows 10 Pro x64 for Workstations 22H2 on my Alienware 17R2 and Windows 11 Pro x64 for Workstations on my Alienware 17R5 Laptops with Webroot SecureAnywhere Complete Beta Tester for PC & Android Samsung Galaxy A16 5G OS 16.
    ProTruckDriver
    Jasper_The_Rasper
    TripleHelix
    Jasper_The_Rasper
    Moderator
    Forum|alt.badge.img+54

    Massive 23andMe Hack Compromised Nearly 7 Million Users’ Data

     

    Around half of all profiles set up with the DNA testing company were affected by the breach.

    December 5, 2023 By Mark Alfred

     

    The breach of 23andMe user profiles in early October saw hackers obtain the personal data of millions of users, prompting multiple class action lawsuits across the United States and Canada, the company said in a Securities and Exchange Commission disclosure.

    Hackers targeted users whose 23andMe passwords matched those found online as a result of other data breaches, initially compromising just 0.1 percent of accounts—around 14,000 total.

    But the site’s DNA Relatives tool allowed hackers to access other users’ ancestry information; 23andMe is still working to remove such data from the internet and is working to notify affected customers, it disclosed.

    All told, around half of all 23andMe users’ information was compromised to some extent—some 6.9 million profiles.

     

    >> Full Article <<

    ProTruckDriver
    Jasper_The_Rasper
    TripleHelix
    TripleHelix
    Moderator
    Forum|alt.badge.img+63
    • TripleHelix
    • Moderator
    • January 3, 2024

    23andMe tells victims it’s their fault that their data was breached

     

    11:42 AM EST•January 3, 2024

     

    23andMe at the gift lounge during the 19th annual Latin GRAMMY Awards at MGM Grand Garden Arena on November 12, 2018 in Las Vegas, Nevada.

    Image Credits: Gabe Ginsberg/Getty Images for LARAS

    Facing more than 30 lawsuits from victims of its massive data breach, 23andMe is now deflecting the blame to the victims themselves in an attempt to absolve itself from any responsibility, according to a letter sent to a group of victims seen by TechCrunch.

    “Rather than acknowledge its role in this data security disaster, 23andMe has apparently decided to leave its customers out to dry while downplaying the seriousness of these events,” Hassan Zavareei, one of the lawyers representing the victims who received the letter from 23andMe, told TechCrunch in an email.

    In December, 23andMe admitted that hackers had stolen the genetic and ancestry data of 6.9 million users, nearly half of all its customers.

     

    The data breach started with hackers accessing only around 14,000 user accounts. The hackers broke into this first set of victims by brute-forcing accounts with passwords that were known to be associated with the targeted customers, a technique known as credential stuffing.

    From these 14,000 initial victims, however, the hackers were able to then access the personal data of the other 6.9 million million victims because they had opted-in to 23andMe’s DNA Relatives feature. This optional feature allows customers to automatically share some of their data with people who are considered their relatives on the platform.

    In other words, by hacking into only 14,000 customers’ accounts, the hackers subsequently scraped personal data of another 6.9 million customers whose accounts were not directly hacked.

    But in a letter sent to a group of hundreds of 23andMe users who are now suing the company, 23andMe said that “users negligently recycled and failed to update their passwords following these past security incidents, which are unrelated to 23andMe.”

     

    Full Article

    Daniel - Microsoft MVP Consumer Security (2012-2016) Windows 10 Pro x64 for Workstations 22H2 on my Alienware 17R2 and Windows 11 Pro x64 for Workstations on my Alienware 17R5 Laptops with Webroot SecureAnywhere Complete Beta Tester for PC & Android Samsung Galaxy A16 5G OS 16.
    ProTruckDriver
    Jasper_The_Rasper
    TripleHelix
    Terms & ConditionsAccessibility statement