Hacker leaks additional 23andMe user data following recent breach

The dataset includes info on individuals from Britain, including data from what they describe as "the wealthiest people living in the US and Western Europe.

 
Follow :
Hacker | Image: Unsplash

23andMe user data reach: A hacker known as Golem, who recently disclosed a major breach of genetic testing company 23andMe, has now released millions of additional user records. On Tuesday, Golem made a new dataset of 23andMe user information public, containing records for four million users, on the well-known cybercrime forum BreachForums.According to the media reports, some of this newly leaked stolen data matches known and publicly available 23andMe user and genetic information.

According to Golem, the dataset includes information on individuals from Great Britain, including data from what they describe as "the wealthiest people living in the US and Western Europe." In response, 23andMe's spokesperson, Andy Kill, stated that the company became aware of this latest leak and is currently "reviewing the data to determine if it is legitimate."

Hackers using credential stuffing

The initial breach, announced by 23andMe on October 6, revealed that hackers had accessed some user data. The company suggested that the hackers had used a method known as credential stuffing, where hackers attempt various combinations of usernames or emails with corresponding passwords already available from previous data breaches.

As a response to the incident, 23andMe urged users to change their passwords and encouraged the use of multi-factor authentication. The company also initiated an investigation with the assistance of third-party forensic experts.

The breach was attributed to customers reusing passwords and an opt-in feature called DNA Relatives, which allows users to view the data of other opted-in users whose genetic data matches theirs. In theory, this feature would enable hackers to access data from multiple users through a single compromised account.

On Hydra, the hacker claimed to possess 300 terabytes of 23andMe user data, although no evidence was provided to support this assertion. The full scope of this data breach remains uncertain, and it's unclear whether 23andMe has determined the extent of the data taken as of now.

Published By : Anirudh Trivedi

Published On: 19 October 2023 at 10:06 IST