Biotech firm 23andMe user data stolen in credential-stuffing attack

Galgotias Ad

San Francisco, Oct 8 (IANS) US-based biotech company 23andMe, known for its DNA testing kits, has confirmed that its user data is circulating on hacker forums, attributing the leak to a credential-stuffing attack.

According to BleepingComputer, a hacker recently leaked samples of data that was stolen from a genetics firm and, after a few days, offered to sell data packs belonging to 23andMe customers.

A credential-stuffing attack involves obtaining previously compromised user information (for example, usernames and passwords) from one organisation and attempting to reuse it with a second organisation.

According to the report, the threat actor released 1 million lines of data for Ashkenazi people in the initial data leak. However, on October 4, the hacker offered to sell data profiles in bulk for $1-$10 per 23andMe account, depending on the number of accounts purchased.

“We were made aware that certain 23andMe customer profile information was compiled through access to individual accounts. We do not have any indication at this time that there has been a data security incident within our systems,” a 23andMe spokesperson was quoted as saying.

“Rather, the preliminary results of this investigation suggest that the login credentials used in these access attempts may have been gathered by a threat actor from data leaked during incidents involving other online platforms where users have recycled login credentials,” it added.

This incident exposed full names, usernames, profile photos, sex, date of birth, genetic ancestry results, and geographical location, the report said.

The accounts that were compromised had opted into the platform’s ‘DNA Relatives’ feature, which allows users to find and connect with genetic relatives.

As the platform offers multi-factor authentication (MFA)as an additional account protection measure, the company encouraged all users to enable it.

“Please be sure to enable multi-factor authentication on your 23andMe account,” the company said.



Comments are closed.