A group of 23andMe users’ data was stolen by hackers and posted for sale on BreachForum, Wired reported.
On Friday (Oct. 6), the company confirmed that data was compromised, but said that there wasn’t a data breach. Instead, the hackers guessed the logins for users and then used DNA Relatives, an opt-in 23andMe feature where users share information with each other, to gather more data.
SEE ALSO:
Discord.io suffers massive data breach, announces closure
The stolen data appears to be a targeted attack on Ashkenazi Jews as the hacker who posted the sample data on BreachForum, “claimed it contained over one million data points about exclusively Ashkenazi Jews,” according to Wired. Additionally, hundreds of thousands of users of Chinese decent had their data leaked.
“We were made aware that certain 23andMe customer profile information was compiled through access to individual 23andMe.com accounts,” the company said in a statement to Wired. “We believe that the threat actor may have then, in violation of our terms of service, accessed 23andme.com accounts without authorization and obtained information from those accounts.”
The hacker is selling 23andMe data profiles for between $1 to $10 and the sample data includes Mark Zuckerberg, Elon Musk, and Sergey Brin. These profiles include name, sex, birth year, and some additional genetic information. But 23andMe told Wired that, while data was compromised, the sample data has not been verified by the company.
The method likely used in the leak was “credential stuffing,” a technique where previously breached credentials are used on other accounts. It’s effective because people reuse passwords. 23andMe recommends users enable two-factor authentication to protect themselves going forward.
Topics
Apps & Software
Privacy