Stolen 23andMe data for sale on online forum

23andMe data breach overview: 

• Who: DNA ancestry service 23andMe confirmed it is investigating a data breach that could affect millions of its customers. 
• Why: 23andMe attributed the data breach to a threat actor accessing user accounts belonging to individuals using login credentials that had previously been stolen in a data breach against a different website. 
• Where: The data breach affects 23andMe users around the world. 

Hackers claim to carrying out a data breach, stealing data belonging to millions of people who used the DNA ancestry service 23andMe.

23andMe confirmed in a blog post last week that it was looking into reports that hackers compiled customer profile information from 23andMe accounts without user authorization. 

The confirmation came days after an X user found 13 million pieces of 23andMe customer data posted for sale on the dark web, TechRadar reports. 

In the blog post, 23andMe says it believes a threat actor gained access to accounts that belong to individuals who used recycled login credentials that had been previously exposed in an attack on a separate website. 

23andMe also says it has not found any indication of a security incident within its systems or that 23andMe was the source for the account credentials used during the attack. 

Stolen 23andMe data reportedly includes phenotype information, photos and identification data and origin estimation, among other account information, according to TechRadar. 

23andMe accounts that opted into ‘DNA Relative’ feature affected by data breach 

23andMe accounts affected by the data breach belonged to individuals who opted into the company’s ‘DNA Relatives’ feature, which lets users find their genetic relatives and match with them, Bleeping Computer reports. 

The data breach reportedly includes 1 million lines of data belonging to Ashkenazi Jewish people, in particular. The threat actor behind the attack offered to sell stolen data profiles in bulk, from $1 to $10 per account, depending on the amount purchased, according to Bleeping Computer. 

23andMe says it is working with third-party forensic experts and law enforcement to assist with its investigation into the breach.

It required customers to reset their passwords and recommended they use multifactor authentication to safeguard their accounts. 

In 2017, 23andMe agreed to a class action settlement to resolve claims the company unlawfully misrepresented its products and services, namely that its Personal Genome Service was able to make an initial medical diagnosis. 

Have you been affected by the 23andMe data breach? Let us know in the comments.

Read About More Class Action Lawsuits & Class Action Settlements:

• Caesars class action alleges casino failed to properly protect customer information before data breach
• Judge consolidates 7 class actions over Progressive data breach
• IBM, Johnson & Johnson class action claims companies failed to safeguard protected health information
• Ransomware group claims to have hacked all of Sony systems