BiotechCybersecurityIndustry 4.0Science

Hackers Selling Stolen Customer DNA Data from 23andMe

After reports of a massive user data hack began circulating online, the consumer DNA sequencing company 23andMe has acknowledged a breach that’s seemingly led to its customers’ genetic info circulating online.

As Bleeping Computer reported and The Verge later confirmed, an unidentified hacker posted on a data-selling forum that they had access to a million lines of DNA information on the consumer DNA company’s users.

Even more darkly, the hackers are specifically offering data on users they say have Ashkenazi Jewish ancestry — even teasing, with no evidence and in starkly anti-semitic terms, that some data belongs to notable public figures.

“On offer are DNA profiles of millions, ranging from the world’s top business magnates to dynasties often whispered about in conspiracy theories,” one of the posts on the data-selling forum reads. “Each set of data also comes with corresponding email addresses.”

23andMe acknowledged to both Bleeping Computer and The Verge that although user data had been “compiled,” the breach did not occur within 23andMe’s system, but rather was the product of “recycled login credentials” that had been “leaked during incidents involving other online platforms.”

In its own post about the hack, 23andMe said that it was investigating the hack that involved “customer profile information” being accessed by bad actors through its DNA Relatives feature, but it did not disclose specifically what type of data had been obtained.

The company also did not say how much data was implicated in the hack. As Ars Technica has reported, a post on another crime forum claimed that hackers had obtained “13M pieces of data,” though it’s likely that that number was inflated to increase the chances of a sale.

Troublingly, this isn’t the first time a DNA kit company has suffered a hack.

Back in 2018, hackers gained access to a whopping 92 million accounts on the genealogy and DNA testing company MyHeritage, the company admitted at the time. While the information gained in the so-called “cybersecurity incident” didn’t go beyond email addresses and passwords, it still represented a blow to the burgeoning industry that asked consumers not just to pay for their DNA to be sequenced, but to trust companies with their sensitive data, too.

The blow, obviously, wasn’t enough to stop tens of millions of people from spitting into test tubes and sending their genetic material to companies like 23andMe. Although there are still many outstanding questions about this latest hack, it seems more and more certain that consumer DNA companies can’t be trusted with securely storing their users’ data in perpetuity — and that the people who paid them to do so may have made a huge mistake.

What's your reaction?

Love it!
Nikita Abraamova
Proud Russian assassin.

    You may also like

    More in:Biotech

    Leave a reply

    Your email address will not be published. Required fields are marked *