23andMe person knowledge breached in credential-stuffing assault

Biotech firm , recognized for its DNA testing kits, confirmed to that its person knowledge is circulating on hacker boards. The corporate stated the leak occurred by way of a credential-stuffing assault.

A credential-stuffing assault includes person info that has already been compromised (usernames and passwords, for instance) from one group, which a hacker obtains and makes an attempt to reuse with a second group — on this case, 23andMe. Due to the character of credential-stuffing, it doesn’t seem this was a breach of the corporate’s inside methods. Moderately, accounts have been damaged into piecemeal. The perpetrators of this assault seem to have obtained fairly delicate info from the compromised accounts (genetic testing outcomes, pictures, full names and geographical location, amongst different issues).

The preliminary leak comprised “1 million traces of knowledge for Ashkenazi individuals,” to BleepingComputer. By October 4, knowledge was being supplied on the market in bulk, in increments of 100, 1,000, 10,000 or 100,000 profiles. The dimensions of the assault is as but unknown, however the scope of its impression has probably been exacerbated by 23andMe’s ‘DNA Family’ characteristic. “Family are recognized by evaluating your DNA with the DNA of different 23andMe members who’re collaborating within the DNA Family characteristic,” the corporate . After accessing an unknown variety of profiles through credential-stuffing, the risk actor behind this breach apparently scraped the ‘DNA Family’ outcomes for these profiles, netting far more delicate knowledge. In response to the identical FAQ web page, “The variety of kin listed [..] grows over time as extra individuals be a part of 23andMe.” For the fiscal yr 2023, the corporate it “genotyped” round 14 million clients.

Ever since 23andMe went public in 2021, the corporate has for its knowledge safety practices — rightly so, because it offers with delicate medical knowledge derived from saliva sampling, together with predispositions for ailments like Alzheimer’s, Sort 2 diabetes and even . On its web site the it “exceeds” knowledge safety requirements for its trade.