Genetic testing company 23andMe said on Friday that it had launched an investigation into a possible data breach after the personal data of millions of users was put up for sale on the dark web.
A hacker advertised the personal information of seven million users on an online forum, which includes the users’ origin estimation, phenotype, health information, photos, and identification data.
In response, 23andMe issued a statement saying that it was aware certain customer profile information was compiled from individual accounts without the account users’ authorization, but it did not specify how many accounts were affected.
23andMe is a California-based biotechnology company specializing in genetic testing services that allow customers to learn about their ancestral origins and medical health.
“We do not have any indication at this time that there has been a data security incident within our systems or that 23andMe was the source of the account credentials used in these attacks,” it added.
The company said it believes that “threat actors” may have gained access to accounts where users recycled login credentials—meaning that the passwords used on 23andMe.com were the same as those used on other websites that have been previously hacked.
“We believe that the threat actor may have then, in violation of our Terms of Service, accessed 23andMe.com accounts without authorization and obtained information from certain accounts, including information about users’ DNA Relatives profiles, to the extent a user opted into that service,” it added.
The hacking technique, known as credential stuffing, is one reason why cybersecurity experts recommend against using the same password for different sites.
Other Data Breach Cases
This occurred just weeks after the personal data of 1.24 million customers of the Australian bookstore chain Dymocks was exposed on the dark web. After promptly launching an internal investigation, Dymocks confirmed a third-party partner’s systems had been accessed on Sept. 18.However, Dymocks said that “it does not appear there has been any unauthorized access to our systems.”
“We are working with the identified partner to focus on understanding if and how their systems were accessed despite their security measures,” a Dymocks spokesperson said.
“While the extent of the breach had not yet been confirmed, initial indications were that passwords and financial information had not been compromised.”
In January, 2.6 million users of the language-learning platform Duolingo had their data put on sale for $1,500 on a hacking forum. The data included the users’ email addresses, phone numbers, and other information.
Duolingo stated that it was investigating the matter but reported no data breach or hack had occurred. The company believes that the hacker may have acquired the records by data scraping public profile information.
