23andMe confirms stolen user data

Over a million data points from 23andMe accounts seem to have been compromised and surfaced on BreachForums. Although the full extent of this breach remains uncertain, 23andMe has stated that it is actively investigating and verifying the data breach.

Genetic testing firm, 23andMe, has officially acknowledged that data belonging to a specific subset of its users has been compromised. Importantly, the company clarified that its own systems were not breached. Instead, the attackers managed to obtain this data by effectively guessing login credentials for a particular user group. Subsequently, they harvested additional user information through a feature called DNA Relatives. It’s worth noting that users voluntarily choose to share their data through DNA Relatives for others to access.

Earlier this week, hackers uploaded an initial data sample on the BreachForums platform, asserting that it contained one million data points primarily pertaining to Ashkenazi Jews. Additionally, it appears that this data leak has affected hundreds of thousands of users of Chinese descent. On Wednesday, the actor responsible for the breach began selling what they claim to be 23andMe profiles, with prices ranging from $1 to $10 per account based on the scale of the purchase. This data encompasses elements such as a user’s display name, gender, birth year, and some details regarding their genetic ancestry results, such as being identified as “broadly European” or “broadly Arabian” in heritage. It might also include more specific geographic ancestry information. Notably, this information does not appear to contain the actual, raw genetic data itself.

The company has underscored in a statement that there is no indication of a breach in its systems. Furthermore, they’ve advised users to employ robust and distinct passwords while also enabling two-factor authentication as a means of preventing unauthorized access to their individual accounts, particularly if their login credentials have been exposed in other data breaches.

In their official statement, the company remarked, “We were alerted to the fact that specific 23andMe customer profile information was collected by gaining access to individual 23andMe.com accounts. We suspect that the threat actor may have, in violation of our terms of service, entered 23andme.com accounts without proper authorization and obtained information from those accounts.”

The company’s stance regarding the validation of the data leaked by the threat actor has not been entirely transparent. They’ve indicated that their investigation is ongoing and that they have “preliminary results” at this stage. When questioned about verifying the leaked data, a company spokesperson informed WIRED that the leaked information aligns with a scenario in which some user accounts were exposed and subsequently used to collect data visible in DNA Relatives. However, when pressed for more specific details on data validation, the spokesperson clarified that the verification process is still pending, and the company cannot confirm the authenticity of the leaked information.

Also Read | Fake Access To Malicious AI Tool ‘WormGPT’ For Sale On The Dark Web

This issue carries significant implications for both individuals whose data may have been compromised and the potential presence of “celebrity” data within the breach. The actor claims the leaked data includes profiles of notable figures, such as technologists Mark Zuckerberg, Elon Musk, and Sergey Brin. These profiles contain information like “Profile ID,” “Account ID,” name, gender, birth year, and current location, as well as fields labeled as “ydna” and “ndna.” However, it remains unclear whether the data for these entries is legitimate or if it was inserted. For instance, it is noteworthy that Musk and Brin appear to share the same profile and account IDs within the leaked data.

The method of exploiting reused login credentials from previous data breaches, commonly referred to as “credential stuffing,” remains a prevalent and effective technique for compromising accounts. Ronnie Tokazowski, an experienced researcher in digital scams, highlights that this persistence is largely due to the unfortunate reality that many people habitually reuse their passwords, thereby creating a vulnerability. The fact that this breach claims to target specific groups, such as the Jewish population or celebrities, may not be surprising, as it sheds light on the less savory aspects of the internet.

However, the complete picture regarding the motivations behind this data theft, the extent of the attackers’ haul, and whether it exclusively targets Ashkenazim, for example, remains unclear.

Also Read | The FBI’s most-wanted Russian hacker Wazawka explains why he burned his passport

Brett Callow, a threat analyst at security firm Emsisoft, suggests that when data linked to ethnic, national, political, or other groups is shared, it can either result from specific targeting or an attempt to gain media attention. This situation highlights broader concerns regarding the security of sensitive genetic data and the associated risks of making it accessible on platforms designed like social networks that encourage data sharing. Such platforms inevitably bring with them the same data privacy and security challenges that have plagued traditional social networks, including issues related to data centralization and scraping.

“This incident serves as a stark reminder of the inherent risks associated with DNA databases,” remarks Callow. “The concerning aspect here is that accounts had apparently opted into the ‘DNA Relatives’ feature, which could potentially lead to the exposure of compassionate information.”

[Update as of 7:00 pm ET, October 6]: It has come to light that data from hundreds of thousands of 23andMe users of Chinese descent also appears to have been exposed in this incident.