Genetics firm 23andMe Faces Data Breach Due to Credential Misuse

The leading U.S. genetics company, 23andMe, has acknowledged a concerning event wherein user data has been found on hacking platforms. The root cause appears to be a credential-stuffing attack.

Photo Credit: ideadesign/Shutterstock.

23andMe offers an in-depth look into one’s ancestry and genetic tendencies, achieved by analyzing saliva samples sent by users.

Disturbingly, data purportedly sourced from a genetics entity was leaked online. Shortly after, offers emerged to sell comprehensive data sets tied to 23andMe users.

While the initial exposure revealed data about 1 million Ashkenazi individuals, by October 4, the culprits began to offer full user profiles, with prices ranging from $1 to $10 per 23andMe account, contingent on the purchase size.

In discussions with TechGuard, a representative from 23andMe authenticated the data’s credibility. They elucidated that malefactors had leveraged credentials compromised in separate, unrelated breaches to access 23andMe accounts, thus pilfering the data.

The spokesperson clarified, “We were made aware that certain 23andMe customer profile information was compiled through access to individual accounts,” and added, “We do not have any indication at this time that there has been a data security incident within our systems.”

Elaborating on the likely modus operandi, the representative stated, “Rather, the preliminary results of this investigation suggest that the login credentials used in these access attempts may have been gathered by a threat actor from data leaked during incidents involving other online platforms where users have recycled login credentials.”

Exposed details from this breach included full names, usernames, images, gender, birth data, genetic analysis outcomes, and physical locations.

Further findings shared with TechGuard suggest a discrepancy in the figures – the number of accounts the hacker purportedly sold versus the actual number of 23andMe accounts infiltrated using the leaked credentials.

A point of interest is that the affected accounts had activated the ‘DNA Relatives’ feature on 23andMe, a function that assists users in discovering and linking with genetic relatives. The intruder tapped into a select number of 23andMe accounts and harvested data from their DNA Relative matches, highlighting potential privacy ramifications even for seemingly benign features.

To fortify account security, 23andMe underscored its two-factor authentication provision and recommended its adoption by users. This episode underscores the importance of unique, strong credentials for each online presence and refraining from password repetition.