Genetic testing company 23andMe is under scrutiny following allegations of a security breach involving user data. On August 11, a hacker advertised a set of 23andMe user data on Hydra, a known cybercrime forum. The same data was later observed on another hacking platform, BreachForums.
The hacker claimed to possess 300 terabytes of 23andMe user data, demanding $50 million for the trove. The data purportedly included profiles of one million 23andMe users of Jewish Ashkenazi descent and 100,000 Chinese users.
23andMe has neither confirmed nor denied the legitimacy of the alleged breach but has prompted all users to reset their passwords as a precautionary measure. The company cites “credential stuffing” as the likely method of unauthorized access. This technique involves hackers using previously leaked passwords in attempts to access multiple accounts, capitalizing on the tendency of users to reuse passwords across different platforms.
The data in question allegedly comes from users who opted into 23andMe’s DNA Relatives feature, which shares data amongst users who activate it. If true, hackers could access extensive data by breaching the account of a single participant of this feature.
In response to the incident, the company encouraged users to enable multi-factor authentication. Some users reported being forced to change their passwords upon trying to access their accounts, although it remains unclear if all users have received such prompts.
The potential breach raises concerns about the safety of storing genetic information online. Past incidents include a 2018 breach at MyHeritage where over 92 million user details were stolen. The same year, genetic data from another platform, GEDMatch, was utilized to trace a crime suspect, although the individual hadn’t provided the service with their DNA sample.
As investigations continue, experts emphasize the importance of swift reactions from companies during potential data breaches. Rachel Tobac, CEO of SocialProof Security, highlighted the need for organizations to promptly support their users in such situations.
23andMe has yet to provide extensive details regarding the alleged stolen data or its origins. The company continues to advise users on taking necessary security precautions.