October 9th – The U.S. based genetic profiling service 23andMe has launched an investigation into how a million data points were exposed via online forums.
At least one anonymous hacker claims to have genetic profiles for sale on the dark web, as cobbled together from hijacked 23andMe customer accounts.
The seller has indicated that the profiles include email addresses, photos, gender, date of birth, and DNA ancestry, which could be weaponized to target users based on their ethnicity.
23andMe breach
23andMe did not find evidence indicating a breach of its information systems, per se. Rather, an attacker appears to have logged into individual customers’ accounts by reusing credentials found in databases for hacked accounts of other internet-based services.
On October 4th, the attacker listed data profiles as available in bulk for $1-10, per 23andMe account, depending on the number purchased.
“We are taking this issue seriously and will continue our investigation to confirm these preliminary results,” said the company. 23andMe notes that the platform does offer two-factor authentication and encourages users to enable it.
Breach implications
One anonymous online data broker advertised “DNA profiles of millions, ranging from the world’s top business magnates to dynasties often whispered about in conspiracy theories.”
Sample data allegedly contains entries for tech executives, although it’s unclear as to whether the entries are legitimate.
Another post on a dark web site indicated that a data sample containing a list of 1 million individuals with Ashkenazi Jewish heritage is for sale, according to Business Insider.
Hundreds of thousands of individuals of Chinese descent may also be impacted by the leak, according to Wired.
For more on this story, click here. Lastly, to receive timely cyber security insights and cutting-edge analyses, please sign up for the cybertalk.org newsletter.