23andMe has confirmed to BleepingComputer that it’s conscious of consumer information from its platform circulating on hacker boards and attributes the leak to a credential-stuffing assault.
23andMe is a U.S. biotechnology and genomics agency providing genetic testing providers to clients who ship a saliva pattern to its labs and get again an ancestry and genetic predispositions report.
Lately, a menace actor leaked samples of knowledge that was allegedly stolen from a genetics agency and, a number of days later, supplied to promote information packs belonging to 23andMe clients.
Supply: BleepingComputer
The preliminary information leak was restricted, with the menace actor releasing 1 million strains of knowledge for Ashkenazi individuals. Nonetheless, on October 4, the menace actor supplied to promote information profiles in bulk for $1-$10 per 23andMe account, relying on what number of have been bought.
Supply: BleepingComputer
A 23andMe spokesperson confirmed the info is legit and informed BleepingComputer that the menace actors used uncovered credentials from different breaches to entry 23andMe accounts and steal the delicate information.
“We have been made conscious that sure 23andMe buyer profile info was compiled via entry to particular person 23andMe.com accounts,” said 23andMe’s spokesperson
“We wouldn’t have any indication right now that there was an information security incident inside our programs.”
“Slightly, the preliminary outcomes of this investigation counsel that the login credentials utilized in these entry makes an attempt might have been gathered by a menace actor from information leaked throughout incidents involving different on-line platforms the place customers have recycled login credentials.”
The knowledge that has been uncovered from this incident consists of full names, usernames, profile images, intercourse, date of start, genetic ancestry outcomes, and geographical location.
BleepingComputer has additionally discovered that the variety of accounts offered by the cybercriminal doesn’t mirror the variety of 23andMe accounts breached utilizing uncovered credentials.
The compromised accounts had opted into the platform’s ‘DNA Family’ characteristic, which permits customers to seek out genetic kin and join with them.
The menace actor accessed a small variety of 23andMe accounts after which scraped the info of their DNA Relative matches, which exhibits how opting right into a characteristic can have sudden privateness penalties.
23andMe informed BleepingComputer that the platform affords two-factor authentication as a further account safety measure and encourages all customers to allow it.
Customers ought to chorus from reusing passwords and constantly make use of robust, distinct credentials for each on-line account they’ve.
