Genetics firm 23andMe has reported a data breach resulting from a credential stuffing attack, revealing that user data from its platform has appeared on hacker forums. This breach affected customers who use 23andMe’s genetic testing services, exposing sensitive information.
Initially, a threat actor leaked genetic data for Ashkenazi individuals, but later they offered to sell data profiles from 23andMe customers in bulk for $1-$10 per account.
A spokesperson from 23andMe confirmed that the stolen data is legitimate and stated that the attack used exposed credentials from other breaches to access 23andMe accounts. The breach included personal information such as full names, usernames, profile photos, sex, date of birth, genetic ancestry results, and geographical location. Notably, the compromised accounts were those that had opted into 23andMe’s ‘DNA Relatives’ feature, allowing users to find genetic relatives.
This incident highlights the importance of using unique, strong passwords for online accounts and enabling two-factor authentication when available. The compromised accounts illustrate the potential privacy consequences of opting into certain features, even in a genetics testing service like 23andMe. The company is taking steps to address the breach and urges all users to enhance their account security practices.