23andme data breach User Data Stolen in Targeted Attack

The genetic testing company 23andMe has confirmed that data belonging to a subset of its users has been compromised. The company stated that its systems were not breached, but rather, attackers managed to access the data by guessing the login credentials of certain users and subsequently scraping additional information from a feature known as DNA Relatives. Users voluntarily share their information through DNA Relatives, allowing others to view it.

The breach came to light when hackers posted an initial data sample on the BreachForums platform, claiming that it contained approximately 1 million data points predominantly related to Ashkenazi Jews. Moreover, hundreds of thousands of users of Chinese descent were also affected by the leak. Subsequently, the actor responsible for the breach began selling alleged 23andMe profiles, pricing them between $1 and $10 per account, depending on the extent of the purchase. The compromised data includes details such as display names, gender, birth years, and some information about genetic ancestry results, such as broadly European or broadly Arabian descent. It may also include more specific geographic ancestry information but does not appear to contain actual raw genetic data.

23andMe was quick to emphasize that there is no evidence of a breach of its systems. They encouraged users to employ strong, unique passwords and enable two-factor authentication to safeguard their accounts from potential compromise using login credentials exposed in other data breaches.

The company stated, “We were made aware that certain 23andMe customer profile information was compiled through access to individual 23andMe.com accounts. We believe that the threat actor may have then, in violation of our terms of service, accessed 23andme.com accounts without authorization and obtained information from those accounts.”

However, 23andMe has not definitively confirmed the validity of the data leaked by the threat actor, stating that their investigation is ongoing, and they currently have “preliminary results.” While the leaked information seems consistent with a scenario in which some user accounts were exposed and then exploited to scrape data visible in DNA Relatives, the company cannot presently verify the authenticity of the leaked information.

This is crucial, not only for those whose information may have been compromised but also because the actor’s data claims to include profiles of “celebrities,” including technologists Mark Zuckerberg, Elon Musk, and Sergey Brin. Entries for these individuals include details such as “Profile ID,” “Account ID,” name, gender, birth year, current location, and certain fields referred to as “ydna” and “ndna.” It remains unclear whether the data for these entries is legitimate or was inserted, as there appear to be inconsistencies, such as Musk and Brin sharing the same profile and account IDs in the leak.

The breach leveraged a technique known as “credential stuffing,” wherein login credentials exposed in previous data breaches are reused to infiltrate accounts where users have reused the same logins. This method remains prevalent due to the widespread habit of password reuse among individuals.

The exact motives behind the data theft, the extent of the attackers’ haul, and whether the breach solely targeted Ashkenazi Jews remain unclear. Such incidents raise broader questions about the security of sensitive genetic information and the risks associated with making it available through services designed like social networks to facilitate sharing. These platforms introduce data privacy and security issues reminiscent of those that have plagued traditional social networks, including concerns related to data centralization and scraping.

Brett Callow, a threat analyst at security firm Emsisoft, noted, “This incident really highlights the risks associated with DNA databases. The fact that accounts had reportedly opted into the ‘DNA Relatives’ feature is particularly concerning as it could potentially result in extremely sensitive information becoming public.”