Popular DNA testing service 23andMe investigates data leak claims


Adversaries claim to have acquired a large chest of private user data from 23andMe, one of the most popular direct-to-consumer genetic testing services. Scraped data samples are allegedly doing the rounds online as the company investigates the situation. It has yet to identify any breach, however.

Updated with 23andMe comment.

A threat actor on the cybercrime marketplace BreachForums claims to have obtained data from 7 million 23andMe users. The post on BreachForums, uploaded a couple of days ago, is now deleted.

ADVERTISEMENT

“The CSV file in the link contains the profile list of half of the members of 23andMe. These members have technical details such as their origin estimation, phenotype and health information, photos and identification data, raw data, and their last login date to the site. We have more than 13M pieces of data,” the message reads, as shared by DarkWebInformer on X.

The Cybernews research team observed a sample of data shared online, compiled from individuals in one minority group, allegedly from users of 23andMe, more than 200MB in size. The data contained entries for name, sex, age, location, ancestry markers, such as lineage, yDNA and mtDNA haplogroups (traces paternal and maternal ancestry), and others. However, Cybernews could not verify the authenticity of the data.

“It’s impossible to verify the authenticity of the sample data. If true, this would be significant as it would mean a breach of confidentiality. And if data actually contains DNA data, that would be something you are and would also be significant,” Mantas Sasnauskas, the Head of Security Research at Cybernews, noted.

23andMe’s investigation, which is still ongoing, there are no signs of a direct breach.

„We were made aware that certain 23andMe customer profile information was compiled through access to individual 23andMe.com accounts. We do not have any indication at this time that there has been a data security incident within our systems,“ 23andMe spokesperson explained in a comment to Cybernews.

„Rather, the preliminary results of this investigation suggest that the login credentials used in these access attempts may have been gathered by a threat actor from data leaked during incidents involving other online platforms where users have recycled login credentials.“

The company believes that the threat actor may have then, in violation of the terms of service, accessed 23andme.com accounts without authorization and obtained information from those accounts.

ADVERTISEMENT

„We are taking this issue seriously and will continue our investigation to confirm these preliminary results,“ the spokesperson said.

The attacker only allowed ten downloads via the link provided, adding that those “who download the file can share the link by uploading it again.”

Allegedly, each packet of data contained 20-30MB of information. The hacker was disappointed with the lack of interest in the leak and warned that they would start sharing private data if the company’s management didn’t announce the breach within 24 hours.

Some X users also speculated that private data could have been scraped using the service’s web interface, which has options for searching for relatives.

Customers should change passwords for the affected accounts and other accounts sharing similar login credentials, ensure the new passwords are strong and unique, enable two-factor authentication (2FA), and follow other safety precautions.

Based in San Francisco, the personal genomics and biotechnology company 23andMe provides a direct-to-consumer DNA testing service in which customers send a saliva sample. The company claims to have sold more than 12 million DNA test kits.

The laboratory analyses the sample using single nucleotide polymorphism genotyping and generates reports on genetic predispositions, health-related, and ancestry topics.

“Following a claim that someone had gained access to and is selling certain 23andMe customer data, we conducted an investigation. We have not identified any unauthorized access to our systems. We will continue to monitor the situation,” the 23andMe support team also shared on X.

The 23andMe share price is down 15% since October 1st, with the company currently valued at $414 million.

ADVERTISEMENT