Hacker Puts 23andMe User Data Up for Sale on the Internet

Source: Bloomberg | Published on October 10, 2023

BEC attacks

An anonymous hacker is claiming to be selling “millions” of genetic profiles cobbled together from hijacked 23andMe customer accounts.

The seller suggested the profiles, which include email addresses, photos, gender, date of birth and DNA ancestry, could be used to target users based on their ethnicity.

23andMe Holding Co., a genetics test kit company that offers ancestry and health reports by analyzing a person’s saliva, confirmed Friday that genuine customer data was for sale on a hacker forum. However, a spokesperson told Bloomberg News the company found no indication of a breach in its information systems. Instead, it appeared the attacker had logged into individual customers’ accounts on 23andMe by re-using credentials found in databases for hacked accounts of other services on the internet.

The hacker also seemed to create profiles of additional people by copying the names of the 23andMe customers’ relatives who had been connected using the company’s “DNA Relatives” tool. 23andMe’s DNA Relatives feature let users connect with potential relatives who share similar DNA and exchange their genetic profiles.

“We are taking this issue seriously and will continue our investigation to confirm these preliminary results,” 23andMe said in a statement.

On Oct. 2, an anonymous seller posted that they had a “one million Ashkenazi database” on a forum for selling hacked data, referring to people of central and eastern European Jewish heritage.