While one threat actor has leaked alleged 23andMe user data, another is advertising ‘Genetic Data For Sale,’ with prices determined by the number of profiles.
23andMe, a popular DNA testing company, is investigating a potential data breach after a hacker claimed to have obtained data from at least 7 million users.
The threat actor shared a link to a download for the stolen data on the infamous Breached hacking forum, but 23andMe denies that a breach has occurred.
“We do not have any indication at this time that there has been a data security incident within our systems,” a company spokesperson told Hackread.com.
“The preliminary results of this investigation suggest that the login credentials used in these access attempts may have been gathered by a threat actor from data leaked during incidents involving other online platforms where users have recycled login credentials,” the spokesperson added.
The company believes the hacker may have acquired login credentials from previous data breaches and used them to access 23andMe accounts. Below is a screenshot from the hacker forum, shared by an individual with an X (formerly Twitter) account using the handle @DarkWebInformer.
Although the hacker claims to have obtained data on at least 7 million users, it’s possible that much of the data was actually scraped through a profile-viewing feature available to 23andMe members.
23andMe has a function that lets you find “DNA relatives” with other users on the platform. Using the system is optional, but in doing so users create a profile that other members can see, allowing them to view ancestry results, along with photo and birth year, if provided.
Hence, it’s possible that the hacker broke through a smaller number of accounts, and then exploited the DNA relatives feature to gain access to a wider range of personal details.
The incident bears resemblance to a recent one involving Duolingo, in which a threat actor exploited an API to extract and disclose information from 2.6 million users.
Genetic Data For Sale
Another threat actor is offering ‘Genetic Data For Sale,’ purportedly belonging to 23andMe users, with a price tag of $100,000 for 100,000 profiles. They claim to possess a range of data, including ”Tailored ethnic groupings, individualized data sets, pinpointed origin estimations, haplogroup details, phenotype information, photographs, links to hundreds of potential relatives, and most crucially, raw data profiles.”
This is not the first time a DNA service has made headlines due to a data breach. In June 2018, the DNA testing website MyHeritage was hacked, resulting in the leak of personal details from 92 million users.
Currently, 23andMe is treating this matter with utmost seriousness and continuing its investigation. In the meantime, users are encouraged to consider updating their passwords and enabling two-factor authentication to safeguard their accounts against potential unauthorized access.”
Here are some additional tips for protecting your 23andMe account:
- Enable two-factor authentication.
- Use a strong password and don’t reuse it for other online accounts.
- Be careful about what information you share in your DNA relative’s profile.
- Be wary of clicking on links or attachments in emails or messages from unknown senders.
If you are concerned about your privacy, you can also choose to delete your 23andMe account and DNA data.