23andMe posted a blog yesterday saying that data from users of its genetic testing and analysis platform has been circulating on dark web forums after hackers used recycled logins to gain access to get into accounts. BleepingComputer wrote on Thursday that a hacker leaked what they said was “1 million lines of data” for Ashkenazi Jewish people before saying they would sell stolen 23andMe data for $1 – $10 per account. The data includes users’ names, profile photos, genetic ancestry results, date of birth, and geographical location.
The company confirmed to BleepingComputer that the data is legitimate in a statement it also shared in an email to The Verge. In the statement, 23andMe managing editor Scott Hadly wrote that "the preliminary results of this investigation suggest that the login credentials used in these access attempts may have been gathered by a threat actor from data leaked during incidents involving other online platforms where users have recycled login credentials.” He added that there was no indication of “a security incident within our systems.” BleepingComputer reports other users’ data was scraped using one of 23andMe’s own opt-in features, called ‘DNA Relatives”
23andMe’s blog post gives links to its instructions for password resets and multi-factor authentication setup. The company included a link to its privacy and security checkup page and said users who need help can email its support team.
As many as 7 million accounts may be in the sale, PCMag reported on Wednesday, citing a post from Dark Web Informer that shared screenshots of another now-deleted hacker forum post. That’s roughly half the total number of users on 23andMe’s platform. According to ArsTechnica, hackers claimed that 23andMe’s CEO knew about the leaked data two months prior, but didn’t disclose the incident.
Meanwhile, 23andMe has posted this message from a support account:
Update October 7th, 2023, 1:59PM ET: Updated with information from 23andMe’s blog post about the leaked data.