23andMe Investigates Data Leak Claims

image provided by pixabay

This post is also available in: עברית (Hebrew)

Malicious actors claim to have acquired a large amount of private user data from one of the most popular genetic testing services “23andMe”. There are allegedly data samples spreading online as the company investigates the situation.

According to Cybernews, a threat actor published a now-deleted post on the cybercrime marketplace BreachForums claiming to have data from 7 million 23andMe users, with each packet of data reportedly containing between 20 and 30 MB of information.

The message reads: “The CSV file in the link contains the profile list of half of the members of 23andMe. These members have technical details such as their origin estimation, phenotype and health information, photos and identification data, raw data, and their last login date to the site. We have more than 13M pieces of data.”

Data samples observed by the Cybernews research team contained entries for name, sex, age, location, ancestry markers, such as lineage, yDNA and mtDNA haplogroups (traces of paternal and maternal ancestry), and others, but the authenticity of the data has not yet been confirmed.

Mantas Sasnauskas, the Head of Security Research at Cybernews stated: “It’s impossible to verify the authenticity of the sample data. If true, this would be significant as it would mean a breach of confidentiality. And if data actually contains DNA data, that would also be significant.”

Meanwhile, 23andMe claims that there are no signs of a direct breach, with a spokesperson telling Cybernews- “We were made aware that certain 23andMe customer profile information was compiled through access to individual 23andMe.com accounts. We do not have any indication at this time that there has been a data security incident within our systems.”

The company believes that the threat actor may have obtained login credentials from data leaked during incidents involving other online platforms where users have recycled login credentials, thus accessing the accounts without authorization and obtaining information.

The hacker was reportedly disappointed with the lack of interest in the leak and warned that they would start sharing private data if the company’s management didn’t announce the breach within 24 hours.

Customers of the service are advised to change passwords for their accounts and other accounts sharing similar login credentials, ensure the new passwords are strong and unique, and enable two-factor authentication.