Genetic testing company 23andMe has confirmed a data theft incident from a credential stuffing attack targeting user accounts.
The South San Francisco, California-based biotechnology company said attackers breached a subset of 23andMe accounts by guessing their credentials.
Subsequently, they exploited the ‘DNA Relatives’ feature, which allows users to find and connect with genetic relatives, and scraped the data from more victims.
“We were made aware that certain 23andMe customer profile information was compiled through access to individual 23andMe.com accounts,” the company said.
23andMe data theft incident impacted millions of customers
The threat actor claimed they stole the genetic data of 1 million people of Ashkenazi Jewish origin. It also exposed hundreds of thousands of individuals with a Chinese heritage. Collectively, the data theft incident leaked over “20 million pieces of data,” according to the threat actor.
Interestingly, the data leak includes entries for tech billionaires Mark Zuckerberg and Elon Musk. However, the authenticity of those records is questionable and likely included to attract media attention.
Meanwhile, the attackers have listed the information for sale on the underground hacking forum BreachForums for between $1,000 for 100 profiles and $100,000 for 100,000.
Seemingly, the data theft did not leak raw DNA data that could have severe consequences for the victims. However, the leaked information includes personal data such as name, sex, birth year, photos, location, and shared genetic markers such as haplogroups indicating genetic ancestry.
The threat actor promised broader genetic data with “hundreds of potential relatives,” which could expose family connections. This exposure could leak victims’ sensitive information, such as genetic predisposition to certain health conditions, thus violating individuals’ right to privacy.
Additionally, it could lead to misuse by unauthorized researchers, targeted cyber harassment, or mental anguish.
Credential stuffing attack from previous data breaches
Asserting that there was no “data security incident within our systems,” 23andMe indicated that the threat actor did not breach its information systems.
Additionally, preliminary results of an ongoing investigation attributed the data theft to a credential stuffing attack using user data leaked from other online services.
“… the preliminary results of this investigation suggest that the login credentials used in these access attempts may have been gathered by a threat actor from data leaked during incidents involving other online platforms where users have recycled login credentials,” they said.
23andMe has not disclosed the number of victims impacted by the data theft incident or accounts compromised via the credential stuffing attack. The company has promised to notify all impacted individuals after the investigation.
According to Lior Yaari, CEO and co-founder of Grip Security, although a “high school kid could execute” a credential stuffing attack, multi-factor authentication and human verification could easily prevent it.
“Protecting against consumer application breaches now has implications for enterprise security, but most companies are not prepared to take the necessary steps to protect themselves properly,” said Yaari.
According to Tyler Farrar, CISO at Exabeam, the credential stuffing attack resulted from systemic security issues most organizations are unprepared to handle.
“Whether this is a confirmed data breach or a symptom of credential stuffing, the two security challenges remain: compromised credentials and distinguishing between normal and abnormal behavior,” noted Farrar.
Commenting on the 23andMe credential stuffing attack, Ken Westin, Field CISO at Panther Labs, said the data theft incident highlighted the regulatory loopholes plaguing the DNA testing industry.
“This is a worry many in the Infosec community had regarding the DNA mapping industry. For the most part, the protection of DNA data has been unregulated — at best, it’s been treated like PII,” observed Westin. “The attackers in this case presented Infosec community’s worst fears around using DNA data to target ethnic minorities. The slow pace of regulation and action by law enforcement around the use and protection of DNA data has created a perfect storm for adversaries to exploit and profit from incredibly sensitive data.”
In May 2023, the FTC ordered Premom app operator Easy Healthcare Corporation to pay $200,000 for sharing intimate reproductive information with third parties, including Chinese firms and Google. And in September 2023, the agency also ordered 1Health.io (formerly Vitagene) to pay a $75,000 fine for failing to secure genetic information.