The identical hacker who leaked a trove of person knowledge stolen from the genetic testing firm 23andMe two weeks in the past has now leaked thousands and thousands of latest person information.
On Tuesday, a hacker who goes by Golem revealed a brand new dataset of 23andMe person data containing information of 4 million customers on the recognized cybercrime discussion board BreachForums. information.killnetswitch has discovered that among the newly leaked stolen knowledge matches recognized and public 23andMe person and genetic data.
Golem claimed the dataset accommodates data on individuals who come from Nice Britain, together with knowledge from “the wealthiest folks residing within the U.S. and Western Europe on this listing.”
23andMe spokespeople didn’t instantly reply to a request for remark.
On October 6, 23andMe introduced that hackers had obtained some person knowledge, claiming that to amass the stolen knowledge the hackers used credential stuffing — a standard approach the place hackers strive mixtures of usernames or emails and corresponding passwords which can be already public from different data breaches.
Contact Us
Do you might have extra details about the 23andMe incident? We’d love to listen to from you. You possibly can contact Lorenzo Franceschi-Bicchierai securely on Sign at +1 917 257 1382, or by way of Telegram, Keybase, and Wire @lorenzofb, or e-mail lorenzo@techcrunch.com. You can too contact information.killnetswitch by way of SecureDrop.
In response to the incident, 23andMe prompted customers to vary their passwords and inspired switching on multi-factor authentication. On its official web page addressing the incident, 23andMe stated it has launched an investigation with assist from “third-party forensic specialists.” 23andMe blamed the incident on its prospects for reusing passwords, and an opt-in characteristic referred to as DNA Kinfolk, which permits customers to see the information of different opted-in customers whose genetic knowledge matches theirs. If a person had this characteristic turned on, in concept it could permit hackers to scrape knowledge on a couple of person by breaking right into a single person’s account.
There are nonetheless numerous unanswered questions on this incident. It’s not recognized if the hackers really used credential stuffing and never one other approach to steal the information, how a lot person knowledge was stolen, and what the hackers intend to do with it.
The incident seems to have been performed, or no less than launched, a number of months in the past. On August 11, a hacker on one other cybercrime discussion board referred to as Hydra marketed a set of 23andMe person knowledge. That set of person knowledge matched among the person information leaked two weeks in the past, based on a information.killnetswitch evaluation.
Whatever the many unanswered questions, what’s clear is that we nonetheless don’t know the total extent of this knowledge leak. And it’s not clear that 23andMe is aware of but how a lot knowledge was taken.
