The genetic testing firm 23andMe confirmed on Friday that knowledge from a subset of its customers has been compromised. The firm mentioned its methods weren’t breached and that attackers gathered the info by guessing the login credentials of a bunch of customers after which scraping extra individuals’s data from a characteristic generally known as DNA Relatives. Users decide into sharing their data by way of DNA Relatives for others to see.
Hackers posted an preliminary knowledge pattern on the platform BreachForums earlier this week, claiming that it contained 1 million knowledge factors completely about Ashkenazi Jews. There additionally appear to be a whole bunch of hundreds of customers of Chinese descent impacted by the leak. On Wednesday, the actor started promoting what it claims are 23andMe profiles for between $1 and $10 per account, relying on the size of the acquisition. The knowledge contains issues like a show identify, intercourse, start yr, and a few particulars about genetic ancestry outcomes, like that somebody is, say, of “broadly European” or “broadly Arabian” descent. It may embrace some extra particular geographic ancestry data. The data doesn’t seem to incorporate precise, uncooked genetic knowledge.
The firm emphasised in an announcement that it doesn’t see proof that its methods have been breached. It additionally inspired customers to make use of sturdy, distinctive passwords and allow two-factor authentication to maintain attackers from compromising their particular person accounts utilizing login credentials uncovered in different knowledge breaches.
“We were made aware that certain 23andMe customer profile information was compiled through access to individual 23andMe.com accounts,” the corporate mentioned in an announcement. “We believe that the threat actor may have then, in violation of our terms of service, accessed 23andme.com accounts without authorization and obtained information from those accounts.”
The firm has not been clear on whether or not it has validated the info the menace actor leaked, noting that its investigation is ongoing and that it at present has “preliminary results.” A spokesperson for the corporate instructed WIRED that the leaked data is in line with a scenario wherein some person accounts have been uncovered after which leveraged to scrape knowledge seen in DNA Relatives. But when pressed on the small print of whether or not the info has been validated, the spokesperson mentioned that verifying the info is pending and that the corporate can’t at present verify whether or not the leaked data is actual.
This level is critical each for everybody whose data could have been compromised and since the info posted by the actor claims to incorporate “celebrities.” Entries for technologists Mark Zuckerberg, Elon Musk, and Sergey Brin are all seen within the pattern knowledge, together with “Profile ID,” “Account ID,” identify, intercourse, start yr, present location, and fields generally known as “ydna” and “ndna.” It is unclear if the info for these entries is respectable or was inserted. For instance, Musk and Brin seem to have the identical profile and account IDs within the leak.