Genetic testing company 23andMe is investigating a data breach that exposed customer information, including profile photos, birth years, and ancestry details of millions of its users.
The compromised data was obtained through unauthorized access to individual 23andMe accounts, the company said in a statement reported by Ars Technica. Preliminary results suggest the login credentials used to access the accounts “may have been gathered by a threat actor from data leaked during incidents involving other online platforms where users have recycled login credentials,” 23andMe said.
The technique, known as credential stuffing, involves using usernames and passwords exposed in previous breaches to break into other online accounts.
Following a claim that someone had gained access to and is selling certain 23andMe customer data, we conducted an investigation. We have not identified any unauthorized access to our systems. We will continue to monitor the situation.
— 23andMeSupport (@23andMeSupport) October 4, 2023
23andMe said in a blog post that it has no evidence of an actual breach of its systems. “We do not have any indication at this time that there has been a data security incident within our systems,” the company wrote.
According to Wired, the breach specifically targeted users of Ashkenazi Jewish heritage. Hackers posted an initial data sample on the platform BreachForums earlier this week, claiming it contained 1 million data points exclusively about Ashkenazi Jews.
The data was obtained by scraping profile information of relatives connected through 23andMe’s “DNA Relatives” feature, which allows customers to connect with genetic matches on the platform. By accessing compromised accounts, the hacker could amass profiles of related users who had opted into sharing their information.
“We believe that the threat actor may have then, in violation of our terms of service, accessed 23andme.com accounts without authorization and obtained information from those accounts,” explained 23andMe in its blog post.
On hacking forums last week, an unknown user advertised the sale of 23andMe user data, claiming to have obtained information on over 7 million customers. The leaked data included “full names, usernames, profile photos, sex, date of birth, genetic ancestry results, and geographical location,” according to BleepingComputer.
Another forum user reportedly offered access to 23andMe profiles in bulk, with prices ranging from $1 to $10 per account.
23andMe did not disclose details on the number of users impacted or the extent of the data leak. But according to Ars Technica, one database contained 1 million customers of Ashkenazi Jewish heritage, while a second held 300,000 user profiles of Chinese ancestry.
Security experts have repeatedly cited the risks of compromised genetic data. “Your DNA is the most valuable thing you own,” warned the U.S. National Counterintelligence and Security Center in February 2021. “It holds the most intimate details of your past, present and potential future — whether you are prone to addiction or high-risk for cancer.”
“Losing your DNA is not like losing a credit card,” the center continued. “You can order a new credit card, but you cannot replace your DNA. The loss of your DNA not only affects you, but your relatives and, potentially, generations to come.”
23andMe said it reported the breach to law enforcement and encouraged customers to reset passwords and enable two-factor authentication.
“We actively and routinely monitor and audit our systems to ensure that your data is protected,” 23andMe said. “When we receive information through those processes or from other sources claiming customer data has been accessed by unauthorized individuals, we immediately investigate to validate whether this information is accurate.”
The genetic testing company, which offers insights into ancestry and health risks based on DNA analysis, has amassed genetic data on more than 14 million customers since its founding in 2006.
23andMe said the leaked data did not contain any genomic details. But privacy advocates have long raised concerns about the sensitivity of DNA analysis results and ethnic data being compromised in a breach.
The 23andMe breach comes amid a wave of major cyber attacks exposing sensitive user information. Last year, 10.9 million accounts were leaked in total, with 10 accounts being leaked every second, according to digital privacy firm Surfshark.
Editor’s note: This story was drafted with Decrypt AI from sources referenced in the text, and fact-checked by Ozawa.