Biotech firm 23andMe, renowned for its DNA testing kits, has verified to BleepingComputer that its user data is in circulation within hacker forums. The company has disclosed that this data breach resulted from a credential-stuffing attack. In such an attack, hackers exploit previously compromised user information, including usernames and passwords, obtained from one organization and attempt to reuse it to gain unauthorized access to another organization’s systems, in this case, 23andMe.
It’s important to note that, due to the nature of credential-stuffing, this incident does not appear to be a breach of the company’s internal systems. Instead, individual accounts were systematically compromised.
The individuals behind this attack seem to have acquired highly sensitive information from the compromised accounts, which includes genetic testing results, photographs, full names, and geographical locations, among other data.
According to BleepingComputer, the initial data leak encompassed “1 million lines of data for Ashkenazi people.” Subsequently, as of October 4, this data was being offered for sale in various packages, ranging from 100 to 100,000 profiles. The exact scale of this breach remains uncertain, but its impact is likely to have been amplified by 23andMe’s ‘DNA Relatives’ feature.
The ‘DNA Relatives’ feature identifies genetic relatives by comparing a user’s DNA with that of other 23andMe members participating in the same feature. After gaining unauthorized access to an unspecified number of profiles through credential-stuffing, the threat actor responsible for this breach apparently scraped the ‘DNA Relatives’ results for those profiles, obtaining even more sensitive data.
According to information available on the company’s FAQ page, “The number of relatives listed… grows over time as more people join 23andMe.” Notably, for the fiscal year 2023, the company reported that it had “genotyped” approximately 14 million customers.
Ever since 23andMe went public in 2021, it has faced heightened scrutiny regarding its data protection practices, which is entirely warranted given the sensitive medical data it handles, derived from saliva samples. This data includes information about predispositions for diseases such as Alzheimer’s, Type 2 diabetes, and even cancer. On its official website, the company asserts that it surpasses industry standards for data protection.