23andMe published a blog yesterday saying that data from users of its genetic testing and analysis platform was circulated on dark web forums after hackers used recycled login names to gain access to accounts. BleepingComputer wrote Thursday that a hacker leaked what they said was "a million rows of data" on Ashkenazi Jews and then said they would sell the stolen 23andMe data for $1 to $10 per account. This data includes the user's name, personal photo, genetic ancestry results, date of birth and geographic location.
The company confirmed to BleepingComputer in a statement that the data is genuine. In a statement, 23andMe Editor-in-Chief Scott Hadly wrote: "Preliminary results of this investigation indicate that the login credentials used in these access attempts may have been collected by threat actors from leaked data in incidents involving users of other online platforms recycling login credentials." He added that there is no indication of "a security incident in our systems." BleepingComputer reported that other users' data was stolen through 23andMe's own optional feature called "DNA Kinship."
23andMe’s blog post provides links to password reset and multi-factor authentication setup instructions. The company also provided a link to a privacy and security checkup page and said users who need help can email its support team.
As many as 7 million accounts may be for sale, PCMag reported on Wednesday, citing a post from a dark web information provider that shared a screenshot of another now-deleted hacker forum post. That’s about half of the total number of users on the 23andMe platform. According to ArsTechnica, the hackers claimed that 23andMe’s CEO knew about the data breach two months ago but failed to disclose the incident.
Meanwhile, 23andMe posted a message from a support account: