An anonymous hacker made hundreds of thousands of 23andMe profiles available for purchase on a hacker forum.
23andMe is a genetics testing company that provides consumers with the ability to discover their traits, health predisposition, carrier status, build family trees, and locate unknown relatives based on their DNA overlaps.
The allegedly stolen profiles from 23andMe contain names, email addresses, phenotype information, DNA-estimated origin, photographs, and connections to potential relatives. The cybercriminal offers a variety of purchase options to encourage bulk purchases, including $ 1,000 for 100 profiles, $5,000 for 1,000 profiles, $20,000 for 10,000 profiles, and $1 per compromised account for those purchasing a vast dataset of 100,000 records.
A few days prior to this sale, the same user offered a limited number of downloads for datasets containing one million profiles from an unnamed genetics company, alleging that the data contained information on notable individuals. Although the number of users who downloaded the bundles was limited, those who did so continued to offer them through new forum posts.
23andMe released a statement saying that the data compromise was caused by attacks known as "credential stuffing" that allowed unauthorized access to accounts.
We believe that the threat actor may have then, in violation of our Terms of Service, accessed 23andMe.com accounts without authorization and obtained information from certain accounts, including information about users’ DNA Relatives profiles, to the extent a user opted into that service.
This is a cyberattack that employs disclosed account credentials from compromised platforms to attempt access to other services. To fall victim to credential stuffing, targets must engage in the risky practice of "password recycling," which entails using the same password on multiple websites.
In this instance, however, the cybercriminal sells a very large number of 23andMe profiles that are unlikely to have been compromised directly using the aforementioned technique. The company's spokesperson explained that this is due to an optional feature on the platform that connects relatives and DNA similarities, which was enabled on all compromised accounts. This resulted in the escalation of the breach's impact from a few compromised accounts to the vast number of accounts listed in the forum post.
The DNA Relative Finder is an opt-in feature that allows members to discover and connect with individuals who share their DNA. Due to the activation of this feature, cybercriminals had access to accounts that had not been compromised by credential stuffing and that followed best security practices by using a strong and unique password.
The data for this subcategory of users does not contain the extensive genetic information contained in the compromised accounts, but it does expose a display name, profile photo, profile sex, birth year, predicted relationships with their match, portions of their genetic ancestry results, and locations.
All accounts that appear to have been compromised by unauthorized access will have their passwords reset by 23andMe. However, the company's scanners may miss some cases of account hijacking, so users should take precautions themselves. In addition, all 23andMe users are advised to enable two-factor authentication to safeguard their accounts from future attacks of this nature.
A class action lawsuit was filed in California federal court. the plaintiffs assert that 23andMe customers affected by the data breach face a "present and imminent threat" of fraud and identity loss. In addition, the lawyers contend that 23andMe did not provide adequate information about the incident for the improvement and security of consumer data. It also asserts that the company lacked adequate security measures that could have prevented the attack.
Do you think you could be affected? Here is what to do:
California, Virginia, and Colorado are among the states with comprehensive privacy laws. It's in your best interest to contact 23andMe and request that they expunge your information.
Identity theft protection is also available. Some companies offer an extensive array of identity fraud protections, such as alerts whenever your sensitive information is used on applications.
References:
- 23andMe Blog - Addressing Data Security Concerns
- 23andMe - October 9th 2023 California lawsuit