In a significant blow to the privacy of more than four million individuals, 23andMe, a leading direct-to-consumer genetic testing service, has fallen victim to a cyber-attack. The incident involves the exposure of sensitive ancestry data and raises concerns about the security measures implemented by the company.
The threat actor, known as Golem, previously leaked private user data from 23andMe and has now expanded the breach to millions of people. The leaked data includes over four million individuals, primarily from the United Kingdom, and another file with more than 100 thousand individuals from Germany. Golem claims to have targeted the wealthiest individuals in the United States and Western Europe.
The compromised data contains personal information such as names, gender, age, location, and crucial ancestry markers, including lineage, yDNA, and mtDNA haplogroups. However, the authenticity of the data remains unverified.
Upon learning of the breach, 23andMe has responded, attributing the leak to a credential stuffing attack. This type of attack involves reusing credentials from other breaches. Despite the company’s investigation, there is no indication of a data security incident within their systems.
The threat actor, Golem, claims to have obtained data from seven million 23andMe users. The company’s spokesperson maintains that the breach occurred due to users recycling login credentials, where usernames and passwords on 23andMe.com matched those used on previously compromised websites.
In response to the breach, 23andMe has taken immediate security measures. All accounts are now required to undergo a password reset, and users are advised to enable multi-factor authentication. The company is collaborating with external forensic experts and federal law enforcement to further investigate the incident.
Many questions remain unanswered, including whether hackers gained access to more sensitive genetic data. The threat actor suggests having the capability to expand genetic data using the imputation method, but no concrete evidence has been provided.
The fallout from the breach is not limited to privacy concerns. The 23andMe share price has plummeted, experiencing a nearly 10% drop in a single day and a staggering 62% decrease since the beginning of the year.
Golem criticizes 23andMe’s security measures, questioning why the company hasn’t taken stronger measures against credential stuffing attacks. The hacker raises concerns about the lack of email verification for downloading raw data and questions why 23andMe did not detect unauthorized access to customer accounts.
The leaked data, according to Golem, holds immense value, with organizations spending millions on research for similar genetic information. The breach underscores the need for robust cybersecurity practices in the rapidly evolving landscape of genetic testing services.
It’s crucial to reconsider sharing personal information with online companies, regardless of their assurances. Prioritizing the confidentiality of one’s data may warrant refraining from sharing it with these platforms, even if they assert their safety.
While the idea might seem appealing, it’s essential to exercise caution.
Would you like to learn more about Veroot's Cyber Security suite of products?