Genetic testing giant 23andMe confirmed that a data scraping incident resulted in hackers gaining access to sensitive user information and selling it on the dark web.

The information of nearly 7 million 23andMe users was offered for sale on a cybercriminal forum this week. The information included origin estimation, phenotype, health information, photos, identification data and more. 23andMe processes saliva samples submitted by customers to determine their ancestry.

When asked about the post, the company initially denied that the information was legitimate, calling it a “misleading claim” in a statement to Recorded Future News.

The company later said it was aware that certain 23andMe customer profile information was compiled through unauthorized access to individual accounts that were signed up for the DNA Relative feature — which allows users to opt in for the company to show them potential matches for relatives.

“We do not have any indication at this time that there has been a data security incident within our systems. Rather, the preliminary results of this investigation suggest that the login credentials used in these access attempts may have been gathered by a threat actor from data leaked during incidents involving other online platforms where users have recycled login credentials,” they said.

“We believe that the threat actor may have then, in violation of our terms of service, accessed 23andme.com accounts without authorization and obtained information from those accounts. We are taking this issue seriously and will continue our investigation to confirm these preliminary results.”

  • BigFig@lemmy.world
    link
    fedilink
    English
    arrow-up
    10
    ·
    1 year ago

    What a title, article says 7 million users but title wants you to focus on the Jewish and Chinese customers.

    • SquiffSquiff@lemmy.sdf.org
      link
      fedilink
      English
      arrow-up
      7
      ·
      1 year ago

      If you read the article linked you will see that:

      When asked about the post, the company initially denied that the information was legitimate, calling it a “misleading claim” in a statement to Recorded Future News.

      and then:

      A researcher approached Recorded Future News after examining the leaked database and found that much of it looked real. The researcher spoke on condition of anonymity because he found the information of his wife and several of her family members in the leaked data set. He also found other acquaintances and verified that their information was accurate.

      The researcher downloaded two files from the BreachForums post and found that one had information on 1 million 23andMe users of Ashkenazi heritage. The other file included data on more than 300,000 users of Chinese heritage.

      So in other words, this is the verified data investigated independently