The genetics testing company 23andMe says millions of “pieces of data” stolen from its customers have been offered for sale on an online forum where digital thieves often advertise leaked data. The hackers say they scraped data from users who opted into the DNA Relatives feature, allowing people to connect with others who share a recent ancestor. The data includes technical details like origin estimation, phenotype and health information, photos and identification data, and raw genetic data. The hacker posted a sample file of 1 million data points about Ashkenazi Jews and another about users with Chinese heritage. The files were reposted by a user who goes by DarkWebInformer on the X (formerly Twitter) forum.
A spokesman for 23andMe said the company was aware of the posting and was investigating the incident. He said the attack was likely based on “credential stuffing,” in which attackers take username-and-password combinations published after other breaches and try them against 23andMe accounts. If they work, the hackers can use those credentials to re-access people’s accounts and scrape their data.
23andMe spokesman Jonathan Greig told Bleeping Computer that it needs to be clarified how much of the supposedly stolen data is accurate but that the attack appears to have been relatively sophisticated. He said the company believes the hackers used exposed passwords from previous attacks to get into some of its users’ accounts. People must avoid reusing passwords across different websites and always set up two-factor authentication.
- Trending Now: EU Asks Users and Rivals: Should New Tech Rules Apply to Microsoft Bing and Apple iMessage?
He also recommended that people change their passwords immediately after any breach and use a separate email address for any accounts on sites where they don’t want to receive notifications about suspicious activity. “That way, if your account does become compromised, you have a second line of defense to protect the rest of your digital life,” he said.
The firm, which processes saliva samples to determine a person’s ancestry, says it has 14 million registered users. Its tests are priced at more than $600 each. The company was founded in 2006 and is helmed by Anne Wojcicki — the sister of YouTube CEO Susan Wojcicki and ex-wife of Sergey Brin, co-founder of Google.
One of the data sets advertised for sale on BreachForums, which was later reposted on X, claimed to contain the profiles of 7 million 23andMe users. It also included entries for tech execs such as Mark Zuckerberg and Elon Musk, though it needs to be clarified whether they’re valid, reports Wired. The seller on BreachForums offers a bundle of 100 profiles for $1000 and incremental payments for bulk purchases of more than that. That’s a far cry from the price tag for the dataset of more than a billion records. Reuters was unable to reach the seller.