The genetic testing company 23andMe confirmed on Friday that data from a subset of its users has been compromised. The company said its systems were not breached and that attackers gathered the data by guessing the login credentials of a group of users and then scraping more people’s information from a feature known as DNA Relatives. Users opt into sharing their information through DNA Relatives for others to see.
Hackers posted an initial data sample on the platform BreachForums earlier this week, claiming that it contained 1 million data points exclusively about Ashkenazi Jews. There also seem to be hundreds of thousands of users of Chinese descent impacted by the leak. On Wednesday, the actor began selling what it claims are 23andMe profiles for between $1 and $10 per account, depending on the scale of the purchase. The data includes things like a display name, sex, birth year, and some details about genetic ancestry results, like that someone is, say, of “broadly European” or “broadly Arabian” descent. It may also include some more specific geographic ancestry information. The information does not appear to include actual, raw genetic data.
The company emphasized in a statement that it does not see evidence that its systems have been breached. It also encouraged users to use strong, unique passwords and enable two-factor authentication to keep attackers from compromising their individual accounts using login credentials exposed in other data breaches.
“We were made aware that certain 23andMe customer profile information was compiled through access to individual 23andMe.com accounts,” the company said in a statement. “We believe that the threat actor may have then, in violation of our terms of service, accessed 23andme.com accounts without authorization and obtained information from those accounts.”
The company has not been clear on whether it has validated the data the threat actor leaked, noting that its investigation is ongoing and that it currently has “preliminary results.” A spokesperson for the company told WIRED that the leaked information is consistent with a situation in which some user accounts were exposed and then leveraged to scrape data visible in DNA Relatives. But when pressed on the details of whether the data has been validated, the spokesperson said that verifying the data is pending and that the company cannot currently confirm whether the leaked information is real.
This point is significant both for everyone whose information may have been compromised and because the data posted by the actor claims to include “celebrities.” Entries for technologists Mark Zuckerberg, Elon Musk, and Sergey Brin are all visible in the sample data, including “Profile ID,” “Account ID,” name, sex, birth year, current location, and fields known as “ydna” and “ndna.” It is unclear if the data for these entries is legitimate or was inserted. For example, Musk and Brin appear to have the same profile and account IDs in the leak.
The technique of using credentials exposed in other data breaches to infiltrate accounts where those logins have been reused is known as “credential stuffing” and is a widely used account compromise technique.
“Credential stuffing never really went away and a lot of it just comes down to the fact that humans reuse their passwords—that's what makes it possible,” says Ronnie Tokazowski, a longtime digital scams researcher. “And the fact that it's claiming to target a Jewish population or celebrities—it’s not shocking. It reflects the underbelly of the internet.”
The full picture of why the data was stolen, how much more the attackers have, and whether it is actually focused entirely on Ashkenazim is still unclear.
“When data is shared relating to ethnic, national, political or other groups, sometimes it's because those groups have been specifically targeted, but sometimes it's because the person sharing the data thinks it'll make reputation-boosting headlines,” says Brett Callow, a threat analyst at security firm Emsisoft.
Callow notes that the situation raises broader questions about keeping sensitive genetic information safe and the risks of making it available in services that are designed like social networks to facilitate sharing. With such platforms come all of the data privacy and security issues that have plagued traditional social networks, including issues related to data centralization and scraping.
“This incident really highlights the risks associated with DNA databases,” Callow says. “The fact that accounts had reportedly opted into the ‘DNA Relatives’ feature is particularly concerning as it could potentially result in extremely sensitive information becoming public.”
Update 7:00 pm ET, October 6 to note that data from hundreds of thousands of 23andMe users of Chinese descent seems to have also been exposed in the incident.
