23andMe suffers credential stuffing cyber attack

Note: This article has been updated to reflect the data exposed in the credential stuffing attack.

Biotechnology company 23andMe, which offers genetic testing and genealogy services, has announced that it was the victim of a data breach following a credential stuffing attack. 

The cyber attack appeared to be targeting users with Ashkenazi Jewish heritage.

The cyber attack was made public on October 6 via a post on 23andMe’s website. In the post, the biotechnology company explained that “certain 23andMe customer profile information that [customers] opted into sharing through [its] DNA Relatives feature, was compiled from individual 23andMe.com accounts without the account users’ authorization”. 

Following this, 23andMe said it believes that the malicious actors “obtained information from certain accounts, including information about users’ DNA Relatives profiles, to the extent a user opted into that service”. This information could include user’s first and last names, sex, birth year, location and information from 23andMe’s ancestry reports.  

The company also noted that the malicious actors were able to access the accounts where users “recycled login credentials”, meaning the cyber attack was a credential stuffing attack. Credential stuffing attacks see malicious actors use the login credentials exposed in previous data breaches and attempt to log in to other accounts held by the victims of these data breaches by ‘stuffing’ the stolen credentials into the login portal of a separate site. If the login credentials are re-used, this can allow malicious actors to access whatever accounts they have been re-used for.

23andMe said that is has launched an investigation into the cyber attack and urged users to both change their password to a strong password and enable multi-factor authentication on their 23andMe account.

It was revealed that the attack may have been targeted towards Ashkenazi Jews following dark web posts by the alleged hacker.

A malicious actor claiming to be responsible for the cyber attack later leaked information allegedly stolen in the credential stuffing attack. In a post on notorious dark web hacking forum BreachForums, the malicious actor claimed to have uploaded a “1 million Ashkenazi database”.  

The same threat actor offered data packs for sale, which they claimed contained “tailored ethnic groupings, individualized data sets, pinpointed origin estimations, haplogroup details, phenotype information, photographs, links to hundreds of potential relatives, and most crucually, raw data profiles”.

The malicious actors was offering the following prices for the datasets:

• 100 profiles for US$1,000
• 1,000 profiles for $5,000
• 10,000 profiles for $20,000
• 100,000 profiles for $100,000

The malicious actor claimed that the profiles contain “DNA profiles of millions, ranging from the world’s top business magnates to dynasties often whispered about in conspiracy theories. Each set of data also comes with corresponding email addresses.”

23andMe has confirmed that the data leaked by the malicious actor in their forum post is legitimate.