[German] Provider 23andMe (creates analyses of the human genome) has suffered a cyber incident in which millions of customer data were stolen. At first, the provider denied everything. A few days ago, one million records of Ashkenazi Jews were published in an underground forum. Now more captured data of 4.1 million customers from Germany and the UK has been published.
Advertising
Who is 23andMe?
23andMe is a US biotechnology company founded in the US in 2006. The name of the company is derived from the 23 pairs of chromosomes of a human being. The company has been offering individuals an examination of their genetic information since December 2007.
The offer was initially aimed only at customers from the USA, but was expanded over time to numerous other countries. It is available in Germany, Austria and Switzerland, among other countries. The price for such an analysis was reduced in several stages from $999 initially to $99 plus shipping costs (as of January 2019).
The saliva sample sent in is analyzed for about 200 genetic diseases and 99 other predispositions. Information on geographic origin is also provided. More than 960,000 sections of the human genome are examined, which identify single nucleotide polymorphisms and account for personal characteristics. According to Wikipedia, the company analyzed genes from over three million customers as of February 2018.
The service is also advertised for people who do genealogy research and would like to learn about their ancestors. A genetic match can reveal ancestry from or relationship to other people. I had pointed out the resulting implications in the German blog post 60% der Amerikaner mit europäischer Abstammung über öffentliche DNA-Datenbanken identifizierbar.
The first 23andMe leak
At the beginning of October 2023, there were first reports from media like Bleeping Computer that hackers will offer the data of one million people from the group of Ashkenazi Jews (Central, Northern and Eastern European Jews and their descendants) in an underground forum since October 2023. The 23andMe company confirmed to BleepingComputer that it was informed that user data was circulating on hacker forums. It said in an Oct. 9, 2023, statement that the leak was due to a credential-stuffing attack using forged credentials (meaning the attackers tried known credentials until they cracked access to the systems).
Advertising
The October 9, 2023 statement innocuously states that it was recently learned that certain profile information of 23andMe customers who opted for sharing through the DNA Relatives feature was unauthorizedly siphoned from "individual 23andMe.com accounts."
23andMe data on the darknet; source: Bleeping Computer
Bleeping Computer had published above the screenshot from the underground forum with the hackers' offer. Initially, the hacker only released the 1 million data of Ashkenazim people as a sample on the underground forum. However, as of October 4, 2023, the hacker offered data profiles in bulk for $1 to $10.
At 32andMe, it read like this: "After learning of suspicious activity, we immediately launched an investigation. While we continue to investigate this matter, we believe that threat actors were able to access certain accounts where users reused their credentials – i.e., the usernames and passwords used on 23andMe.com were the same as those used on other sites that were previously hacked." The last sentence describes a so-called credential stuffing, where known credentials are tried to hack online accounts.
32andMe then commissioned external forensic experts to investigate and informed law enforcement authorities. It also advised customers to reset passwords and switch to using multi-factor authentication (MFA). The company believes that the data pulled also includes information about users' DNA relative profiles, if they have opted in to the service.
As of October 20, 2023, the company then announced that as part of the ongoing security investigation, they had temporarily disabled some DNA relationship matching features as an additional precaution to protect the privacy of our customers.
New data leak
The background of the latest move is probably a report from Bleeping Computer that the hacker with the alias Golem has published another 4.1 million stolen genetic data profiles from 23andMe about German and British customers in a hacker forum.
The hacker claims that the stolen 4 million data contains genetic information about the British royal family, the Rothschilds and the Rockefellers. The same hacker published another CSV file containing the 23andMe data of 139,172 people living in Germany. TechCrunch reported that some of the data from the UK was verified as matching known and public user and genetic information.
TechCrunch also writes that some of the leaked 23andMe data was sold on the now-defunct Hydra hacking forum in August 2023, where the threat actor claimed to have stolen 300 terabytes of data. This is likely to escalate into a huge data scandal that could spell the end of 23andMe.
I came across the above message on BlueSky. The Electronic Frontier Foundation has this article with advice on what to do if you think you've been affected by the 23andMe hack.
Advertising
