Millions of 23andMe Users Genetic Data Profile Leaked on Cybercrime Forum

Earlier this month, US biotechnology and genetic testing company 23andMe released a statement confirming the sale of its users’ data on a hacking forum.

Since then, the company has seen millions of its users’ data being leaked on BreachForums by a hacker going by the name of Golem. First, on October 2, the hacker released samples of data allegedly stolen from the company, followed by a posting advertising the sale of bulk data. The 1 million lines of data was said to belong to Ashkenazi Jews from around the world.

Later this week, the same threat actor released another set of data (4+ million) claiming to belong to the wealthiest people in the US and Western Europe. According to their claims, the data includes sensitive information about the British Royal family, the Rothschilds, Rockefellers, and more.

Upon learning about the incident, the genetic firm launched an investigation with third-party forensic experts and believes that the breach was a result of credential stuffing attack. It however confirmed that there was no evidence suggesting that its internal network was compromised.

‘’While we are continuing to investigate this matter, we believe threat actors were able to access certain accounts in instances where users recycled login credentials – that is, usernames and passwords that were used on 23andMe.com were the same as those used on other websites that have been previously hacked,’’ the statement read.

As a result, it is also advising the users to activate multi-factor authentication and reset passwords, rather than using recycled ones.

23andMe believes that only a small number of user accounts were breached; however, the activation of DNA Relatives feature by few users will affect millions of its customers. The effects of which are already being felt by the organization, as it tries to make its way through the myriad of lawsuits filed against it.