23andMe confirms attackers stole raw genotype data


23andMe, a popular direct-to-consumer genetic testing service, has informed affected users that attackers may have accessed their genotype data, health reports, and other sensitive details.

Millions of users had their data exposed after a credential-stuffing attack allowed hackers to access sensitive user information without an actual breach into the company’s systems.

According to a breach notification letter 23andMe sent to impacted individuals, the attack took place for five months, from late April 2023 through September 2023. The company said that attackers could access user accounts due to reused passwords.

ADVERTISEMENT

“The threat actor was able to gain access to your account because the username and password that you used on 23andMe.com were the same as those that you used on other websites that were previously compromised or otherwise available,” the company said.

23andMe’s investigation revealed that attackers accessed users’ “uninterrupted raw genotype data” and other sensitive data such as health reports, health-predisposition reports, wellness reports, and carrier status reports.

In October last year, a threat actor Golem claimed to have obtained data from seven million 23andMe users, sharing samples of data on the cybercrime marketplace BreachForums, which contained entries for name, sex, age, location, ancestry markers such as lineage, yDNA, and mtDNA haplogroups (traces paternal and maternal ancestry), and others.

The first leak allegedly included one million Jewish Ashkenazi descent “celebrities,” and another contained more than four million people, most of whom are allegedly from the United Kingdom. The original posts on the forum have since been deleted. However, other forum members repost the data repeatedly.

After the incident, 23andMe started requiring all users to use multi-factor authentication.