Personal information offered for sale by hackers is authentic, 23andMe has said
The California-based 23andMe has confirmed that the personal information of its customers put up for sale on the black market is real, but insisted on Friday that its systems had not been hacked.
“Following a claim that someone had gained access to and is selling certain 23andMe customer data, we conducted an investigation. We have not identified any unauthorized access to our systems. We will continue to monitor the situation,” the company said in a statement.
While the company’s physical servers may not have been hacked per se, the “threat actors” apparently used “recycled login credentials” obtained from other online platforms to gain access to some accounts, according to the IT security outlet BleepingComputer.
The handful of compromised accounts were among those that had opted into 23andMe’s “DNA Relatives” feature, which allowed the thieves to scrape the data of their relative matches.
The first inkling of trouble appeared on Monday, when a hacker advertised “one million” lines of data pertaining to Ashkenazi Jews. Two days later, the hacker offered to sell data profiles in bulk, charging anywhere from $1-$10 per account. The purloined data included full names, usernames, profile photos, birth dates, locations and genetic ancestry results, all of which could be used by identity thieves and other malicious actors.
23andMe has urged users to enable two-factor authentication, refrain from reusing passwords, and reset their passwords if they fear their data could be at risk.
The company is a major player in the genetic testing market, offering services ranging from discovering one’s ancestry to detecting genes linked to hereditary diseases and serious health conditions. Its name is a reference to the number of chromosome pairs in a diploid human cell.
In 2018, 23andMe announced a partnership with GlaxoSmithKline, allowing the pharmaceutical giant to use test results of five million customers to develop new medication in return for a $300 million investment. The arrangement was extended through July 2023 for an additional $50 million.