DNA Tester 23andMe Hit By Credential Stuffing Campaign

Written by

A leading genetics testing firm has confirmed that customers had their profile information accessed by threat actors following a credential stuffing campaign.

San Francisco-headquartered 23andMe offers DNA testing, ancestry information and personalized health insights for millions of customers.

However, a threat actor known as “Golem” posted an ad to BreachForums last week, offering “raw data profiles,” “tailored ethnic groupings,” “individualized data sets” and much more to online buyers.

“On offer are DNA profiles of millions, ranging from the world’s top business magnates to dynasties often whispered about in conspiracy theories,” they explained on the ad. “Each set of data also comes with corresponding email addresses.”

Prices start at $1000 for 100 profiles and max out at $100,000 for 100,000 profiles.

Read more on credential stuffing: The North Face Warns of Major Credential Stuffing Campaign

A statement from 23andMe confirmed that the data breach was not due to hackers infiltrating the firm’s own network, but rather poor password management on the part of its customers, who appear not to have used the site’s multi-factor authentication (MFA) option.

“We do not have any indication at this time that there has been a data security incident within our systems,” it noted.

“Rather, the preliminary results of this investigation suggest that the login credentials used in these access attempts may have been gathered by a threat actor from data leaked during incidents involving other online platforms where users have recycled login credentials.”

It’s believed that hackers gained access to a small number of initial accounts via previously compromised credentials, but were then able to scrape data from additional users who had registered with the DNA Relatives feature.

Among the data compromised are full names, usernames, profile photos, gender, date of birth, location and ancestry results.

Update December 6, 2023:  23andMe has confirmed that over 6 million individuals' information was accessed from the data breach. The firm also confirmed that the hackers were able to access a significant number of files containing information about some users' ancestry.

Editorial image credit: Lets Design Studio / Shutterstock.com

What’s hot on Infosecurity Magazine?