An American biotechnology and genomics company, 23andMe, has made a startling revelation regarding a recent data breach. Hackers are now selling the genetic data obtained from saliva samples sent in by the company’s clients. This breach raises significant concerns about the privacy and security of personal genetic information.
According to a report by Bleeping Computer, the company attributes the breach to credential-stuffing attacks. Credential stuffing is a cyberattack method where hackers use stolen login information to gain unauthorized access to user accounts. In this case, the stolen data included not only usernames and passwords but also sensitive genetic information.
The threat actors responsible for the breach began selling data packs that belong to 23andMe customers after allegedly stealing data samples from the genetics company. The extent of the breach is still uncertain, but hackers claim to possess vast amounts of information, which they are offering for sale at prices ranging from $1 to $10 per 23andMe account.
The compromised data includes full names, usernames, profile images, gender, birth dates, genetic ancestry findings, and geographical locations. This sensitive information could potentially be used for identity theft, fraud, or other malicious purposes.
23andMe has confirmed that the data being sold by hackers indeed originates from their database. However, the company emphasized that there are no signs of an attack on their internal systems or the integrity of the genetic data itself. This suggests that the breach primarily involved the compromise of user accounts and login credentials.
One alarming aspect of this breach is the method employed by the hackers. They reportedly used the “DNA Relatives” feature provided by 23andMe. This feature allows users to connect with genetic relatives based on shared DNA. The hackers used this feature to scrape information from DNA Relatives matches and launch their credential-stuffing attack.
This incident underscores the dangers of using the same passwords across multiple online platforms. When login credentials are reused, a breach on one platform can lead to the compromise of multiple accounts on various websites. It highlights the importance of strong, unique passwords and the use of multi-factor authentication to enhance security.
For 23andMe customers, this breach raises concerns not only about the security of their personal information but also the potential misuse of their genetic data. Genetic information is highly sensitive and can reveal not only one’s ancestry but also potential health risks. The unauthorized access and sale of this data could have serious implications for individuals’ privacy and wellbeing.
In response to the breach, 23andMe is taking steps to enhance security measures and investigate the extent of the data compromise. They are also advising their customers to change their passwords and enable two-factor authentication to protect their accounts.
This incident serves as a stark reminder of the ongoing challenges in safeguarding personal data in the digital age. As technology continues to advance, individuals and organizations must remain vigilant and proactive in protecting sensitive information from cyber threats. The breach of a trusted genetic testing company like 23andMe underscores the need for robust cybersecurity measures and increased awareness of online security practices among users.