23andMe investigating theft and leak of user data
Add Axios as your preferred source to
see more of our stories on Google.
Logo on facade of personal genomics company 23AndMe in Mountain View, California, in October 2018. Photo: Smith Collection/Gado via Getty Images.
Genetic testing company 23andMe said Friday that it believes some of its users' data was compromised in a credential-stuffing attack and is being circulated on a dark-web hacking forum.
Why it matters: The attacker behind the incident already leaked to a popular hacking forum an initial sample of 1 million data points about users with Ashkenazi Jewish heritage, according to a post seen by Axios.
- The initial sample includes people's full names, birth years, location information and more, per the post.
- The attacker also reportedly published a separate sample with information about more than 300,000 users with Chinese heritage earlier in the week, according to The Record.
Driving the news: A 23andMe spokesperson said in a statement to Axios that the company is aware that a threat actor has leaked a yet-to-be-determined number of users' information onto the dark web.
- "We believe that the threat actor may have then, in violation of our terms of service, accessed 23andme.com accounts without authorization and obtained information from those accounts," the spokesperson said. "We are taking this issue seriously and will continue our investigation to confirm these preliminary results."
- However, the spokesperson stressed that the company does not "have any indication at this time that there has been a data security incident within our systems."
- Instead, the company believes the attacker gained access to users' accounts by reusing passwords stolen from breaches of other companies' systems.
The big picture: 23andMe is best known for providing mail-in DNA testing for consumers curious to learn more about their ancestry and medical health.
- But privacy hawks and regulators have long raised concerns about how companies in this field are safeguarding the highly sensitive information they collect about their users.
- At this time, it does not appear the data leaks include consumers' raw genetic data.
Details: While 23andMe is early in its investigation, a spokesperson said preliminary results suggest the attacker accessed users' accounts using passwords that users likely had recycled from other sites.
- From there, the threat actor scraped data about other 23andMe users who had opted into the company's DNA Relatives tool, which matches users who appear to be genetically related.
- DNA Relatives matches can view each other's basic profile information.
Yes, but: 23andMe is still investigating the incident, and it remains unclear how much data the attackers were able to steal and whether the incident just targeted users with Ashkenazi and Chinese heritage.
- Earlier this week, the attacker was seen trying to sell 23andMe users' profiles in bulk from $1-$10 per account, according to BleepingComputer.
Be smart: 23andMe will determine the best way to notify impacted customers as it learns more about the incident. But for now, 23andMe recommends its users reset their passwords and turn on two-factor login authentication.
