23andMe User Data Compromised in Deliberate Assault against Ashkenazi Jews
At least one million data points from 23andMe accounts have potentially been exposed on BreachForums. The exact scale of this campaign remains unknown, but 23andMe is actively working to verify the compromised data. The genetic testing company has confirmed that a subset of its users' data has been compromised. It clarifies that its systems were not breached, and instead, attackers obtained the data by guessing the login credentials of a specific group of users. Additionally, the attackers scraped information from the DNA Relatives feature, in which users choose to share their information with others. It is important to note that hackers posted an initial data sample on the platform BreachForums, emphasizing that it contained exclusive data related to Ashkenazi Jews. However, the leak appears to impact hundreds of thousands of users of Chinese descent as well.
The actor behind this breach subsequently began selling what they claim to be 23andMe profiles on Wednesday, with prices ranging from $1 to $10 per account, depending on the purchase scale. The compromised data includes various details such as display names, sex, birth years, and certain genetic ancestry results, such as broad European or broad Arabian descent. Some more specific geographic ancestry information may also be included. However, there is no apparent inclusion of actual raw genetic data.
While 23andMe asserts that its systems have not been breached, it is encouraging users to adopt strong, unique passwords and enable two-factor authentication to prevent attackers from compromising individual accounts by exploiting login credentials exposed in other data breaches. In a statement, the company acknowledges that certain customer profile information was gathered through access to individual 23andMe.com accounts without proper authorization, presumably violating their terms of service. However, the company has yet to validate the leaked data, as its investigation is still ongoing, and it currently has preliminary results. A spokesperson from 23andMe suggests that the leaked information is consistent with a scenario in which some user accounts were exposed, subsequently allowing the scraping of data visible in DNA Relatives. Nevertheless, the company cannot confirm the authenticity of the leaked information at present.
Of notable significance is that the data allegedly involves "celebrities," with entries for prominent figures such as Mark Zuckerberg, Elon Musk, and Sergey Brin visible in the sample data. This includes key information such as "Profile ID," "Account ID," names, sexes, birth years, current locations, and identifiers known as "ydna" and "ndna." It remains uncertain whether this data is genuine or has been inserted. Notably, Musk and Brin appear to have identical profile and account IDs within the leaked data.
The technique employed by the threat actors, known as "credential stuffing," involves utilizing login credentials exposed in previous data breaches to infiltrate accounts where users have reused their passwords. According to Ronnie Tokazowski, a prominent researcher specializing in digital scams, credential stuffing is a pervasive method due to the tendency of individuals to reuse passwords, ultimately enabling such attacks. The apparent targeting of a Jewish population and celebrities should not come as a surprise, as it reflects the dark side of the internet.
The complete picture regarding why the data was stolen, the extent of the attackers' haul, and whether it specifically targets Ashkenazi Jews still remains unclear. Brett Callow, a threat analyst at security firm Emsisoft, explains that data related to ethnic, national, political, or other groups is sometimes shared due to targeted efforts, while other times it is shared in pursuit of attention-grabbing headlines. Consequently, this incident raises broader concerns about keeping sensitive genetic information secure, particularly when it is made available through services designed like social networks, which facilitate information sharing. Such platforms bring forth a host of data privacy and security issues similar to those encountered by traditional social networks, such as challenges associated with centralized data and scraping. Callow emphasizes that this incident underscores the risks associated with DNA databases, with particular concern arising from the fact that users reportedly opted into the 'DNA Relatives' feature, potentially exposing highly sensitive information to the public. Furthermore, data from hundreds of thousands of 23andMe users of Chinese descent is believed to have been exposed in this incident.
0 Comments