23andMe Has Been Pwned… Millions Of Customers Affected

It seems that DNA testing service 23andMe has been pwned, and it’s pretty bad:

23andMe has confirmed to BleepingComputer that it is aware of user data from its platform circulating on hacker forums and attributes the leak to a credential-stuffing attack.

23andMe is a U.S. biotechnology and genomics firm offering genetic testing services to customers who send a saliva sample to its labs and get back an ancestry and genetic predispositions report.

Recently, a threat actor leaked samples of data that was allegedly stolen from a genetics firm and, a few days later, offered to sell data packs belonging to 23andMe customers.

The initial data leak was limited, with the threat actor releasing 1 million lines of data for Ashkenazi people. However, on October 4, the threat actor offered to sell data profiles in bulk for $1-$10 per 23andMe account, depending on how many were purchased.

A 23andMe spokesperson confirmed the data is legitimate and told BleepingComputer that the threat actors used exposed credentials from other breaches to access 23andMe accounts and steal the sensitive data.

“We were made aware that certain 23andMe customer profile information was compiled through access to individual 23andMe.com accounts,” stated 23andMe’s spokesperson

“We do not have any indication at this time that there has been a data security incident within our systems.”

“Rather, the preliminary results of this investigation suggest that the login credentials used in these access attempts may have been gathered by a threat actor from data leaked during incidents involving other online platforms where users have recycled login credentials.”

The information that has been exposed from this incident includes full names, usernames, profile photos, sex, date of birth, genetic ancestry results, and geographical location.

BleepingComputer has also learned that the number of accounts sold by the cybercriminal does not reflect the number of 23andMe accounts breached using exposed credentials.

The compromised accounts had opted into the platform’s ‘DNA Relatives’ feature, which allows users to find genetic relatives and connect with them.

Well, this is bad. And Ken Westin, Field CISO, Panther Labs explains why it’s bad:

This is a worry many in the Infosec community had regarding the DNA mapping industry. For the most part, the protection of DNA data has been unregulated — at best, it’s been treated like PII. This recent attack is incredibly troubling, as the attackers specifically targeted an ethnic group and exposed sensitive information about individuals based on ethnic heritage. The attackers in this case presented Infosec community’s worst fears around using DNA data to target ethnic minorities. The slow pace of regulation and action by law enforcement around the use and protection of DNA data has created a perfect storm for adversaries to exploit and profit from incredibly sensitive data. I’m afraid to say this is just the first shoe to drop when it comes to the breach of DNA data.

Hopefully this event is a wake up call for those in this industry. And hopefully this gets looked at by those in power such as those in Congress as clearly there’s an issue here.

Leave a Reply

%d bloggers like this: