Genetics firm 23andMe says user data stolen in credential stuffing attack

Genetics firm 23andMe says user data stolen in credential stuffing attack

Genetics firm 23andMe has recently announced that a security breach has occurred, resulting in the unauthorized access of user data. This incident occurred due to a credential stuffing attack. We understand the concern and importance of personal information, and we are taking immediate measures to address the situation and ensure the security of our users' data.

At 23andMe, we prioritize the privacy and integrity of our users' sensitive information. Therefore, we deeply regret any inconvenience caused by this incident. We are committed to providing transparency in all matters concerning data security and will continue to keep our users informed about the progress made in resolving this issue.

Rest assured, we have promptly engaged with the relevant authorities and experts in cybersecurity to investigate the matter and implement additional measures to prevent similar incidents from occurring in the future. We believe in the power of genetics to empower individuals with valuable insights into their ancestry and health, and we will remain steadfast in our commitment to protecting our users' data.

We encourage all users to remain vigilant and mindful of any suspicious activity related to their 23andMe accounts. In case you suspect any unusual behavior, such as unauthorized access or data manipulation, please reach out to our dedicated support team immediately. We will work closely with you to address any concerns or questions you may have.

The 23andMe community is at the heart of our mission to revolutionize healthcare and genetics research. We understand the importance of trust and security in building a strong foundation for this vision. Therefore, we assure you that we are unwavering in our commitment to maintaining the highest standards of data protection and privacy.

We want to thank our users for their continued support and patience during this challenging time. Your trust and confidence in 23andMe mean the world to us. Rest assured, we will do everything in our power to resolve this situation swiftly and effectively, and to prevent any future breaches or compromises of user data.

We remain devoted to our mission of empowering individuals through genetic knowledge while ensuring utmost data security. Together, we will emerge stronger and more resilient from this incident, solidifying our commitment to your privacy and the integrity of your personal data.

23andMe has acknowledged that it is aware of the circulation of user data from its platform on hacker forums. This leak has been attributed to a credential-stuffing attack. 

As a prominent biotechnology and genomics firm based in the United States, 23andMe provides genetic testing services to its customers. By sending a saliva sample to their labs, customers receive an ancestry and genetic predispositions report.

Recently, a threat actor leaked samples of data, allegedly stolen from a genetics firm, and subsequently offered to sell data packs that belonged to 23andMe customers. Initially, the data leak was limited, with the threat actor releasing 1 million lines of data pertaining to Ashkenazi people. However, on October 4, the threat actor offered to sell data profiles in bulk, pricing them between $1 and $10 per 23andMe account, depending on the quantity purchased.

A spokesperson from 23andMe has confirmed the legitimacy of the data and informed BleepingComputer that the threat actors employed exposed credentials from other breaches to gain access to 23andMe accounts and steal this sensitive data.

According to the spokesperson, "We became aware that specific 23andMe customer profile information was compiled through accessing individual 23andMe.com accounts. At this time, we do not have any indication of a data security incident within our systems."

The preliminary findings of their investigation suggest that the threat actor gatherd login credentials from data leaked during incidents involving other online platforms, where users tend to reuse login credentials.

The exposed information resulting from this incident includes full names, usernames, profile photos, sex, date of birth, genetic ancestry results, and geographic location.

Additionally, BleepingComputer has discovered that the number of accounts sold by the cybercriminal does not accurately reflect the number of 23andMe accounts breached using exposed credentials.

The compromised accounts were largely associated with 23andMe's 'DNA Relatives' feature, which enables users to discover genetic relatives and connect with them.

The threat actor gained access to a limited number of 23andMe accounts and scraped the data of their DNA Relative matches, highlighting the unexpected privacy consequences of opting into such a feature.

To enhance account protection, 23andMe offers two-factor authentication as an additional security measure and strongly encourages all users to activate it.

Furthermore, users are advised to avoid reusing passwords and urged to consistently utilize strong and unique credentials for each of their online accounts.