Medical team working showing data breach of genetic profiles

Second Leak From 23andMe Data Breach Includes 4 Million More Genetic Profiles

A hacker who leaked one million genetic profiles from 23andMe in early October has returned with an even larger trove, this time dumping a little over four million files and including the DNA Relatives feature that allows for connections between relations to be made.

The hacker appears to have some sort of political agenda and is selectively releasing these genetic profiles accordingly, though their selections seem to be centered on an assortment of different conspiracy theories. The latest wave of files appears to come from the same initial data breach and is exclusively made up of 23andMe customers from Germany and the United Kingdom, but the DNA Relatives feature could be used to further expose other customers.

Bizarre 23andMe data breach continues to unfold with second public dump of files

The genetic profiles come from the same hacker that claimed responsibility for the original data breach, going by the handle “Golem” on dark web forums. The breach appears to have taken place months ago, with the first sign of it being an offer on these forums to sell some 300 TB of stolen data in August. The hacker has previously claimed to have about seven million genetic profiles in total.

The public leaks have thus far had overtones of antisemitism, with the first leak of about one million profiles claimed to be those of Ashkenazi Jews, and conspiracy theories involving the Rothschild and Rockefeller families. The hacker’s handle is also a term used in white supremacist and conspiracy circles to refer to perceived attitudes of Jews toward other types of people. This may be some sort of a twisted sales pitch after initially failing to sell the full collection of data, as the hacker has also promised access to the genetic profiles of “the wealthiest people living in the US and Western Europe” and the UK’s royal family.

23andMe says that it has not detected any data breach in connection with these leaks, and says that it is still reviewing to confirm that the genetic profiles are legitimate. The company indicated that the hacker may have used credential stuffing techniques to gain access to customer accounts, drawing on usernames and passwords exposed in other data breaches, and from there used the service’s DNA Relatives feature to scrape a mass amount of additional profiles. DNA Relatives is an opt-in service that allows 23andMe customers to automatically find and connect with potential relations.

It is unclear what percentage of the service’s customers use the DNA Relatives feature, but it can provide matches of up to 1,500  potential relations that are also opted in. However, it does not provide access to the full genetic profiles of matches.

23andMe facing legal action over failure to protect genetic profiles

It remains unclear exactly how many full genetic profiles the hacker actually has. If the bulk of the data consists of the more limited information presented by DNA Relatives matches, it is understandable why the initial sales offer seemed to go nowhere (though it was also interrupted by being listed on the Hydra dark web forum shortly before it was taken down in August). If the hacker’s point of entry was credential stuffing attacks on individual users, it would stand to reason that they actually have relatively few full genetic profiles amidst the terabytes of data they stole.

23andMe customers can request that their data be deleted (from the account settings inside the app), but the company is not actually legally obligated to comply unless the subject is a resident of a number of states with relevant laws such as California, Colorado or Illinois. Some customers have already initiated legal action in connection with the data breach, with a number of different class action suits filed in different states.

If recycled customer passwords were at fault, the case might hinge on whether the company had adequate additional layers of security to prevent unauthorized access to genetic profiles after an initial breach (such as offering multi-factor authentication). The company offers one-time tests ranging in price from $99 to $199 along with an optional premium annual subscription. One of the class action suits is requesting $1,000 to $3,000 in damages per claimant.

This is not the first data breach involving genetic profiles or DNA testing information, but it is likely the largest. A prior breach of Ohio-based DNA Diagnostics Center in 2021 exposed the records of about two million individuals that had been tested between 2004 and 2012. The company reached a settlement earlier this year in an ongoing investigation that involved attorneys general from multiple states. MyHeritage, a 23andMe competitor, suffered a data breach in 2018 that involved 92 million records; however, the damage was limited to exposed email addresses and hashed passwords rather than health information.

Nick Tausek, Lead Security Automation Architect at Swimlane, adds the following advice for any organization sitting on similarly sensitive biometric information: “To mitigate any future data breaches that result in the exposure of sensitive genetic data, organizations should ensure that cybersecurity practices remain a priority. Implementing detection, response, and investigation all into one program will allow teams full visibility into their IT environment. Additionally, by automating cybersecurity processes and using low-code principals, teams can detect threats in real-time and enhance future data protection.”