Personal genetic data was stolen from the biotechnology company 23andMe, which offers genetic testing for ancestral history. The cyberattackers are reportedly targeting Ashkenazi and Chinese users.
23andMe released a statement on Friday identifying data security concerns, saying that actors “obtained information from certain accounts, including information about users’ DNA Relatives profiles, to the extent a user opted into that service.”
Asked for comment, 23andMe directed National Review to its blog post addressing data security concerns.
The company believes that the hackers used credential stuffing, a cyberattack method that recycles login credentials obtained from data breaches on other platforms to fraudulently gain account access.
“While we are continuing to investigate this matter, we believe threat actors were able to access certain accounts in instances where users recycled login credentials — that is, usernames and passwords that were used on 23andMe.com were the same as those used on other websites that have been previously hacked,” the company wrote on October 6.
PCMag reported last week that a threat actor claimed in a now-deleted post to have data from 7 million 23andMe users.
Bleeping Computer, a technology publication, reported that a cyberattacker released “1 million lines of data for Ashkenazi people” and offered to sell data profiles for $1-$10 each. The data allegedly includes genetic ancestry, names, geographic location, sex, and date of birth.
The Record, a publication focused on cybersecurity, reported that one file on Breach Forums, a hacking crime online forum, had data on 1 million users of Ashkenazi heritage, and another file had data on more than 300,000 users of Chinese heritage.
Services with 23andME begin at $119. Other membership tiers allow members to receive reports on their carrier status for certain conditions like Cystic Fibrosis and their predisposition to certain illnesses like Type 2 Diabetes.
23andMe announced in 2015 an agreement to share user data of over 800,000 individuals with Pfizer.
“Researchers can now fully benefit from the largest dataset of its kind, running queries in minutes across more than 1,000 different diseases, conditions and traits,” Pfizer said in a 2015 statement. “With this information researchers can identify new associations between genes and diseases and traits more quickly than ever before.”