(CTN News) – In a statement to BleepingComputer, the biotech company 23andMe, known for its DNA testing kits, confirmed that the company’s users’ data are being circulated on hacker forums.
Credential stuffing is believed to have been the cause of the leak, according to the company.
An attack on 23andMe that involves a credential-stuffing technique involves a hacker obtaining user information (such as usernames and passwords, for example) from another organization in an attempt to reuse it with a second organization – in this case, 23andMe – after it has already been compromised.
As a result of the nature of credential-stuffing, it does not appear that there was a breach of the company’s internal systems as a result of this attack.
As a result, accounts were broken up piecemeal rather than in a systematic manner.
There is no doubt that the perpetrators of this attack obtained quite sensitive information from the compromised accounts (genetic testing results, photos, full names, and location, among other things) as a result of this attack.
There were “1 million lines of data for Ashkenazi people” that were initially leaked, according to BleepingComputer. On October 4, it was revealed that data was being sold in bulk, in increments of 100, 1,000, 10,000 or 100,000 profiles, in bulk sales.
Although it is unclear the extent of the attack as of yet, 23andMe’s “DNA Relatives” feature is likely to have exacerbated the impact of it to an even greater extent as a result of the attack.
DNA Relatives is a feature that allows 23andMe members to identify their relatives based on their DNA compared to the DNA of people who are participating in DNA Relatives, according to 23andMe.
As soon as the threat actor behind this breach accessed an unknown number of profiles by credential-stuffing, he scraped the ‘DNA Relatives’ results for those profiles in order to obtain much more sensitive information.
As stated on the same FAQ page, “the number of relatives listed will grow over time as more people join 23andMe. The company reported that around 14 million customers had been genotyped by the end of fiscal year 2023.
It is no secret that 23andMe has faced extra scrutiny for its data protection practices ever since it went public in 2021, and rightly so, as it deals with sensitive medical data derived from saliva samples, including the predisposition for diseases such as Alzheimer’s, Type 2 diabetes, and even cancer.
It is asserted on the website of the company that it “exceeds” the security standards for its industry when it comes to protecting data.