Breaking News: 23andMe Genetics Firm Exposes Shocking Data Breach, User Information Stolen in Brazen Credential Stuffing Attack

23andMe Confirms User Data Leak Due to Credential-Stuffing Attack

23andMe, a leading U.S. biotechnology and genomics firm, has acknowledged that user data from its platform has been circulating on hacker forums. The company attributes this data leak to a credential-stuffing attack.

As a provider of genetic testing services, 23andMe allows customers to submit saliva samples to its labs and receive detailed reports on their ancestry and genetic predispositions.

In a recent incident, a threat actor leaked samples of data allegedly stolen from a genetics firm. Shortly after, the actor offered to sell data packs belonging to 23andMe customers.

Initial leak of genetic data
Source: BleepingComputer

The initial data leak was limited, with the threat actor releasing 1 million lines of data specific to Ashkenazi people. However, on October 4, the actor offered to sell bulk data profiles for $1-$10 per 23andMe account, depending on the quantity purchased.

Selling stolen genetic data profiles in bulk
Source: BleepingComputer

A spokesperson from 23andMe has confirmed the legitimacy of the leaked data and stated that the threat actors accessed 23andMe accounts by exploiting exposed credentials from other data breaches. The spokesperson emphasized that there is no evidence of a security incident within 23andMe’s systems.

“We have been informed that certain 23andMe customer profile information was compiled through unauthorized access to individual 23andMe.com accounts,” said the spokesperson.

“At this time, we have no indication of a data security breach within our systems. Our preliminary investigation suggests that the login credentials used in these unauthorized access attempts may have been obtained by threat actors from data leaked during security incidents involving other online platforms, where users tend to reuse login credentials.”

The exposed information includes full names, usernames, profile photos, gender, date of birth, genetic ancestry results, and geographical locations.

BleepingComputer has learned that the number of accounts sold by the cybercriminal does not accurately reflect the number of 23andMe accounts breached using exposed credentials.

The compromised accounts were those that had opted into 23andMe’s ‘DNA Relatives’ feature, which enables users to discover genetic relatives and establish connections with them.

The threat actor targeted a limited number of 23andMe accounts and extracted the data of their DNA Relative matches. This incident highlights the unforeseen privacy consequences of opting into certain features.

23andMe recommends that all users enable two-factor authentication as an additional account protection measure. The company also encourages users to avoid password reuse and to consistently create strong and unique credentials for each online account.