top of page

23andMe Launches Data Breach Investigation as Client Data Surfaces on Cybercrime Forum

The widely-used DNA testing service, 23andMe, has launched a full-scale investigation in response to a concerning incident where client information appeared on a cybercrime forum. The 23andMe data breach, which occurred on October 1st, initially involved the exposure of one million data lines. However, on October 4th, the threat actor began selling bulk data profiles, ranging from $1 to $10 per account, in various quantities.

The compromised data includes clients' names, usernames, profile photos, gender, birthdates, geographical locations, and genetic ancestry results. 23andMe confirmed the authenticity of the data breach, revealing that threat actors utilized exposed credentials from previous breaches to gain unauthorized access to 23andMe accounts and pilfer sensitive information. Essentially, recycled login credentials from other cyber incidents were exploited to infiltrate the DNA company's accounts.

Reports indicate that a significant portion of the compromised accounts were those that had opted into 23andMe's "DNA Relatives" feature, which connects users with potential genetic relatives. During the breach, threat actors accessed a limited number of accounts and managed to scrape data linked to potential relatives, causing considerable concern among users and the company alike.

The extent of the breach's impact remains unclear, and it is uncertain whether the threat actors have engaged directly with 23andMe to discuss their illicit activities. As the investigation unfolds, 23andMe is working diligently to assess the full scope of the incident and ensure the security and privacy of its clients' sensitive genetic data. Tyler Farrar, CISO, Exabeam, shared what other organizations can learn from this incident and how they can protect themselves from similar cyber threats:

"Whether this is a confirmed data breach or a symptom of credential stuffing, the two security challenges remain: compromised credentials and distinguishing between normal and abnormal behavior. Valid credentials, obtained from previous data leaks or breaches, provide threat actors with potential access to sensitive data. Such breaches are often amplified by the inherent difficulty in differentiating between unauthorized and legitimate logins, leading to a widespread notification process that may encompass unaffected consumers.

Addressing these challenges necessitates comprehensive cybersecurity strategies. Education about safe credential practices and feedback loops, complete network activity visibility, and robust technical safeguards, such as multi-factor authentication, all contribute to a resilient defense against credential-based attacks.

Most importantly, organizations should be able to establish a clear behavioral baseline for users and devices on their network. Understanding “normal” behavior allows for the identification of deviations that may signify compromised credentials. This approach facilitates faster detection and response to breaches, protecting organizations and their people from potential harm. Remember- you ought to know your network and your people better than the attackers."



bottom of page