Biotech firm , recognized for its DNA testing kits, confirmed to that its person knowledge is circulating on hacker boards. The corporate mentioned the leak occurred by way of a credential-stuffing assault.
A credential-stuffing assault entails person info that has already been compromised (usernames and passwords, for instance) from one group, which a hacker obtains and makes an attempt to reuse with a second group — on this case, 23andMe. Due to the character of credential-stuffing, it doesn’t seem this was a breach of the corporate’s inner methods. Quite, accounts had been damaged into piecemeal. The perpetrators of this assault seem to have obtained fairly delicate info from the compromised accounts (genetic testing outcomes, images, full names and geographical location, amongst different issues).
The preliminary leak comprised “1 million traces of knowledge for Ashkenazi folks,” to BleepingComputer. By October 4, knowledge was being provided on the market in bulk, in increments of 100, 1,000, 10,000 or 100,000 profiles. The dimensions of the assault is as but unknown, however the scope of its affect has doubtless been exacerbated by 23andMe’s ‘DNA Kin’ characteristic. “Kin are recognized by evaluating your DNA with the DNA of different 23andMe members who’re taking part within the DNA Kin characteristic,” the corporate . After accessing an unknown variety of profiles by way of credential-stuffing, the risk actor behind this breach apparently scraped the ‘DNA Kin’ outcomes for these profiles, netting rather more delicate knowledge. In line with the identical FAQ web page, “The variety of family listed [..] grows over time as extra folks be part of 23andMe.” For the fiscal yr 2023, the corporate it “genotyped” round 14 million prospects.
Ever since 23andMe went public in 2021, the corporate has for its knowledge safety practices — rightly so, because it offers with delicate medical knowledge derived from saliva sampling, together with predispositions for ailments like Alzheimer’s, Kind 2 diabetes and even . On its web site the it “exceeds” knowledge safety requirements for its business.