Genetics Firm 23andMe Confirms User Data, Including Results, Has Leaked

Bill Toulas, Bleeping Computer:

The initial data leak was limited, with the threat actor releasing 1 million lines of data for Ashkenazi people. However, on October 4, the threat actor offered to sell data profiles in bulk for $1-$10 per 23andMe account, depending on how many were purchased.

A 23andMe spokesperson confirmed the data is legitimate and told BleepingComputer that the threat actors used exposed credentials from other breaches to access 23andMe accounts and steal the sensitive data.

They apparently used the site’s “DNA Relatives” feature to hop across profiles, and have gained a database of users’ full names, location, and the full genetic results of their 23andMe test. It is unclear exactly how much data was stolen, though it appears to be from at least 7 million people. So there is lots to choose from but, in a move as unsurprising as it is dismaying, the first forum user to post data from the breach went for a plainly antisemitic angle first.

If there is the tiniest of silver linings, it is that services like 23andMe are kind of bunk: identical twins received entirely different results, and none of the five services they tested could agree on the basics. Some crooks may have stolen your DNA test results, but at least they are probably wrong.