Millions more 23andMe users exposed online


More than four million people have had their ancestry data leaked in a fresh cyber blow to 23andMe, one of the most popular direct-to-consumer genetic testing services.

Updated with 23andMe comment.

The same threat actor who earlier leaked samples of private user data from 23andMe has now exposed millions of people, with the possibility of more to come.

ADVERTISEMENT

One shared data file includes more than four million individuals, most of whom are allegedly from the United Kingdom. Another file has more than 100 thousand individuals from Germany.

The hacker, who goes by the name Golem, claims to include “the wealthiest people living in the US and Western Europe on this list.”

Like in the previous leak, the data contains entries for name, sex, age, location, ancestry markers, such as lineage, yDNA and mtDNA haplogroups (traces of paternal and maternal ancestry), and others. Cybernews could not verify the authenticity of the data.

As reported by Cybernews, this threat actor claimed to have obtained data from 7 million 23andMe users.

“For now, I am sharing only 1/3 of the profiles with German origins from the DB,” the hacker writes.

23andMe has no indication of any incident within its systems

Previously, 23andMe attributed the leak to a credential stuffing attack, which reuses credentials from other leaks. Cybernews reached out to 23andMe for an update. However, the explanation seems similar.

“We recently learned that certain profile information – which a customer creates and chooses to share with their genetic relatives in the DNA Relatives feature – was accessed from individual 23andMe.com accounts without their authorization. We immediately started an investigation and do not have any indication at this time that there has been a data security incident within our systems, or that 23andMe was the source of the account credentials used in these attacks,” the comment shared by the 23andMe spokesperson reads.

ADVERTISEMENT

The company’s investigation indicates that the threat actor was able to access certain customer accounts in instances where users recycled login credentials. This means that the usernames and passwords on 23andMe.com were the same as those used on other websites that have been previously hacked.

“We have since notified customers and taken additional security measures, including requiring all accounts to go through a password reset and advising customers to enable multi-factor authentication. We are working with outside forensic experts as part of our ongoing investigation, as well as with federal law enforcement,” the spokesperson said.

23andMe is also aware that the threat actor involved in this investigation posted what they claim to be additional customer DNA Relative profile information.

“We are currently reviewing the data to determine if it is legitimate. Our investigation is ongoing, and if we learn that a customer’s data has been accessed without their authorization, we will notify them directly with more information,” the comment reads.

Service users should change their passwords, ensuring that they’re strong and not reused.

Many questions remain unanswered, one of them being if hackers managed to get their hands on more sensitive genetic data.

“Each person has an average of 700,000 SNPs, and I can flawlessly expand this to up to 30 million using the imputation method,” the hacker wrote in one post on a cybercrime forum. However, they don’t provide any proof that they could’ve obtained such data.

Based in San Francisco, the personal genomics and biotechnology company 23andMe provides a direct-to-consumer DNA testing service in which customers send a saliva sample. The company claims to have sold more than 12 million DNA test kits.

The 23andMe share price has taken a battering. After falling by almost 10% in a single day, it’s now down 62% since the start of the year.

Hacker criticizes lax 23andMe security

ADVERTISEMENT

“If the source of the leak is solely a ‘credential stuffing attack,’ why haven't you taken measures against it even in 2023? There's only one login service on web and mobile platforms; why didn't you use Captcha, turnstile, etc., there? Despite knowing that the user:pass data of 92 million users of MyHeritage, where many of your joint common members, including your CEO, are known to be, has been circulating for years, you took no action,” Golem wrote.

The hacker also claimed that there was no need for email verification to download raw data.

“To extract data in this way from 14 million people, at least 100,000 credentials are needed because most members have common relatives. How did you not notice that 100,000 of your customers' accounts had been accessed? How did you not detect this while millions of data belonging to other users were being scraped? Why didn't you define a rate limit rule based on endpoint or parameter?”

They also reminded that even the data they were sharing was extremely valuable.

“Some independent organizations spend millions of dollars on research to obtain this data. Not even one-thousandth of this data is found in any Y-DNA studies.”