Genetic Testing Firm 23AndMe Confirms Millions of Users’ Data Put on Sale, Launches Probe

A hacker advertised the personal information of 7 million users on an online forum.
Genetic Testing Firm 23AndMe Confirms Millions of Users’ Data Put on Sale, Launches Probe
A man types on a computer keyboard on Feb. 28, 2013. Kacper Pempel/Reuters
Aldgra Fredly
Updated:
0:00

Genetic testing company 23andMe said on Friday that it had launched an investigation into a possible data breach after the personal data of millions of users was put up for sale on the dark web.

A hacker advertised the personal information of seven million users on an online forum, which includes the users’ origin estimation, phenotype, health information, photos, and identification data.

The post was screenshot by Dark Web Informer, who shared it on X (formerly known as Twitter) on Oct. 4. The hacker claimed that 23andMe’s CEO was aware the company had been “hacked” two months ago and that “13 million pieces of data” had been obtained.
Another hacker advertised sample data of one million users of Ashkenazi heritage on a hacking online forum. The hacker later offered to sell data profiles in bulk for $1-$10 per account, BleepingComputer reported. The data included origin estimations, phenotype information, photos, links to potential relatives, and raw data profiles.

In response, 23andMe issued a statement saying that it was aware certain customer profile information was compiled from individual accounts without the account users’ authorization, but it did not specify how many accounts were affected.

23andMe is a California-based biotechnology company specializing in genetic testing services that allow customers to learn about their ancestral origins and medical health.

“After learning of suspicious activity, we immediately began an investigation,” the company said in a blog post on Oct. 6.

“We do not have any indication at this time that there has been a data security incident within our systems or that 23andMe was the source of the account credentials used in these attacks,” it added.

The company said it believes that “threat actors” may have gained access to accounts where users recycled login credentials—meaning that the passwords used on 23andMe.com were the same as those used on other websites that have been previously hacked.

“We believe that the threat actor may have then, in violation of our Terms of Service, accessed 23andMe.com accounts without authorization and obtained information from certain accounts, including information about users’ DNA Relatives profiles, to the extent a user opted into that service,” it added.

The hacking technique, known as credential stuffing, is one reason why cybersecurity experts recommend against using the same password for different sites.

Users have been encouraged to reset their passwords or use multi-factor authentication, which provides an extra layer of security and can prevent bad actors from accessing an account through recycled passwords.

Other Data Breach Cases

This occurred just weeks after the personal data of 1.24 million customers of the Australian bookstore chain Dymocks was exposed on the dark web. After promptly launching an internal investigation, Dymocks confirmed a third-party partner’s systems had been accessed on Sept. 18.

However, Dymocks said that “it does not appear there has been any unauthorized access to our systems.”

“We are working with the identified partner to focus on understanding if and how their systems were accessed despite their security measures,” a Dymocks spokesperson said.

“While the extent of the breach had not yet been confirmed, initial indications were that passwords and financial information had not been compromised.”

In January, 2.6 million users of the language-learning platform Duolingo had their data put on sale for $1,500 on a hacking forum. The data included the users’ email addresses, phone numbers, and other information.

Duolingo stated that it was investigating the matter but reported no data breach or hack had occurred. The company believes that the hacker may have acquired the records by data scraping public profile information.

“No data breach or hack has occurred. We take data privacy and security seriously and are continuing to investigate this matter to determine if there’s any further action needed to protect our learners,” the company told The Record.
Isabella Rayner and Reuters contributed to this report.