23andMe consumer information breached in credential-stuffing assault

Biotech firm , recognized for its DNA testing kits, confirmed to that its consumer information is circulating on hacker boards. The corporate mentioned the leak occurred via a credential-stuffing assault.

A credential-stuffing assault includes consumer info that has already been compromised (usernames and passwords, for instance) from one group, which a hacker obtains and makes an attempt to reuse with a second group — on this case, 23andMe. Due to the character of credential-stuffing, it doesn’t seem this was a breach of the corporate’s inner techniques. Somewhat, accounts have been damaged into piecemeal. The perpetrators of this assault seem to have obtained fairly delicate info from the compromised accounts (genetic testing outcomes, images, full names and geographical location, amongst different issues).

The preliminary leak comprised “1 million strains of information for Ashkenazi folks,” to BleepingComputer. By October 4, information was being supplied on the market in bulk, in increments of 100, 1,000, 10,000 or 100,000 profiles. The size of the assault is as but unknown, however the scope of its influence has seemingly been exacerbated by 23andMe’s ‘DNA Kin’ characteristic. “Kin are recognized by evaluating your DNA with the DNA of different 23andMe members who’re taking part within the DNA Kin characteristic,” the corporate . After accessing an unknown variety of profiles through credential-stuffing, the risk actor behind this breach apparently scraped the ‘DNA Kin’ outcomes for these profiles, netting way more delicate information. In accordance with the identical FAQ web page, “The variety of kin listed [..] grows over time as extra folks be part of 23andMe.” For the fiscal yr 2023, the corporate it “genotyped” round 14 million prospects.

Ever since 23andMe went public in 2021, the corporate has for its information safety practices — rightly so, because it offers with delicate medical information derived from saliva sampling, together with predispositions for ailments like Alzheimer’s, Sort 2 diabetes and even . On its web site the it “exceeds” information safety requirements for its business.