23andMe hacker data profiles of 4.1 million users

The hacker responsible for launching a credential stuffing attack against biotechnology company 23andMe to steal users’ personal data has leaked more data stolen in the cyber attack via the dark web. 

The data leaked to the notorious dark web forum, BreachForums, includes the genetic data profiles of 4.1 million people across Great Britain and Germany. The hacker, who uses the alias Golem, said that the data belongs to “the wealthiest people living in the US and Western Europe on this list”, including the British royal family, the Rockefellers and the Rothschilds, however this statement has not yet been confirmed to be true. A 23andMe spokesperson told TechCrunch that the company is “reviewing the data to determine if it is legitimate”. 

23andMe has confirmed that the data was stolen via a credential stuffing attack. The company has also said that an investigation into the cyber attack has revealed that there is no evidence of a cyber security incident on their IT systems. Those who had their data stolen had opted in to the ‘DNA relatives’ feature, which allowed the malicious actor to scrape their data from their profiles. Golem has claimed that they were able to steal “hundreds of TBs of data” from the company. 

How did the 23andMe cyber attack happen? 

23andMe alerted its users to the cyber attack on October 6 via a post on its website. In the post, the biotechnology company explained that “certain 23andMe customer profile information that [customers] opted into sharing through [its] DNA Relatives feature, was compiled from individual accounts without the account users’ authorization”.  

Following this, 23andMe said it believed that the hackers “obtained information from certain accounts, including information about users’ DNA Relatives profiles, to the extent a user opted into that service”. This means that the data stolen during the hack could include user’s first and last names, sex, birth year, location and information from 23andMe’s ancestry reports.   

The company also shared that “recycled login credentials” were used by the hackers to access users’ accounts, meaning the cyber attack was a credential stuffing attack. Credential stuffing attacks see malicious actors use login credentials exposed in data breaches and use them to attempt to log in to other accounts held by those who have had their data exposed by ‘stuffing’ the stolen credentials into the login portal of a separate site. If the login credentials are re-used, this can allow malicious actors to access whatever accounts they have been re-used for. 

Following the cyber attack, 23andMe urged users to both change their password to a strong password and enable multi-factor authentication on their 23andMe account. The biotechnology company also launched an investigation into the cyber attack. 

It was revealed that the attack may have been targeted towards Ashkenazi Jews following dark web posts by the alleged hacker, Golem.

In a post on BreachForums, Golem claimed to have uploaded a “1 million Ashkenazi database”.  The hacker was offering data packs for sale, which they claimed contained “tailored ethnic groupings, individualized data sets, pinpointed origin estimations, haplogroup details, phenotype information, photographs, links to hundreds of potential relatives, and most crucially, raw data profiles”.

Prices for the datasets ranged between US$10 to $1, depending on how many profiles the potential buyers were willing to purchase. The more profiles bought, the cheaper they were.

Golem claimed that the profiles contained “DNA profiles of millions, ranging from the world’s top business magnates to dynasties often whispered about in conspiracy theories”, and said that each dataset came with the email addresses of the users.