The biotechnology and biomedicine company 23andMededicated to the creation of genetic profiles, He suffered an attack a few weeks ago in which the attackers accessed sensitive information of many of its clients. It appears that the cybercriminals specifically targeted their Ashkenazi Jewish clients and those of Eastern origin.
The attackers extracted your data and it took a few days until the first cybercriminal appeared in an online forum dedicated to cybercrimes announcing the sale of private data of millions of 23andMe customers. According to this advertiser, the data includes an estimate of origin, phenotype, health information, photos and identifying data. Additionally, he reports that the CEO of 23andMe was aware that his company had been hacked two months ago and never disclosed the incident, and they point out who have data on half of the company’s clients: 7 million.
In a statement published after the appearance of this announcement, the company assures that nothing that the attackers have published indicates that they have any type of health information in their possession, and that what they claim is unfounded. Of course, they have confirmed that there is private data of some of their clients for sale.
Apparently, the cause of the data leak would be data scraping, a technique that is dedicated to the systematic extraction of small amounts of information available to users of a service and then reassembling them to obtain a complete information scenario.
To be able to perform this task, however, you must have a user account for the service. Therefore, the attackers gained unauthorized access to particular user accounts that had been configured by their owners to sign up for a function to locate potential relatives through DNA, which the company has called relative DNA.
According to the company, which began an investigation after learning that its clients’ data was for sale, so far they have no indications «there has been a data security incident on our systems. Instead, preliminary results of the investigation suggest that the access credentials used in attempts to log into accounts may have been collected by an attacking actor from data leaked during incidents involving other online platforms, in which Users have reused access credentials. We believe that the attacker may then, in violation of our terms of service, have accessed 23andme.com accounts without authorization and obtained information from those accounts. We are taking this matter seriously and will continue our investigation to confirm these preliminary results.«.
The Relative DNA feature allows users to access the basic profile information of others who also allow their profiles to be visible to the rest of the company’s customers who have agreed to activate this option. If the DNA of one of the users matches that of another who has agreed to participate, each of them will have information about the other’s ancestors.
Apparently, the data that has been put up for sale corresponds to «13 million pieces of data«, and it is unknown how many of the company’s clients they belong to. A database with information on one million clients of Ashkenazi descent has apparently been leaked. All had the relative DNA function activated. There would also be a second leaked database, with some 300,000 customers of Chinese descent, who had activated this option.
The data includes profile and account identification numbers, usernames, gender, year of birth, maternal and paternal haplogroups, ancestry inheritance results, and data on whether or not the customer has opted into the health data program. 23andMe. Some of this data is only included in databases when customers choose to share it.
Furthermore, all Those who have activated the DNA Relative Access feature can view the basic profile information of any other client who has also explicitly opted into the program and has decided that his profile is visible to other participants in it. Apparently, in any case, those who know a customer’s profile ID can see their photo, name, year of birth, and location.
