The genetic testing company 23andMe confirmed on Friday that data from a subset of its users has been compromised. The company said its systems were not breached and that attackers gathered the data by guessing the login credentials of a group of users and then scraping more people’s information from a feature known as DNA Relatives. Users opt into sharing their information through DNA Relatives for others to see.
Hackers posted an initial data sample on the platform BreachForums earlier this week, claiming that it contained 1 million data points exclusively about Ashkenazi Jews. There also seem to be hundreds of thousands of users of Chinese descent impacted by the leak. On Wednesday, the actor began selling what it claims are 23andMe profiles for between $1 and $10 per account, depending on the scale of the purchase. The data includes things like a display name, sex, birth year, and some details about genetic ancestry results, like that someone is, say, of “broadly European” or “broadly Arabian” descent. It may also include some more specific geographic ancestry information. The information does not appear to include actual, raw genetic data.
The company emphasized in a statement that it does not see evidence that its systems have been breached. It also encouraged users to use strong, unique passwords and enable two-factor authentication to keep attackers from compromising their individual accounts using login credentials exposed in other data breaches.
“We were made aware that certain 23andMe customer profile information was compiled through access to individual 23andMe.com accounts,” the company said in a statement. “We believe that the threat actor may have then, in violation of our terms of service, accessed 23andme.com accounts without authorization and obtained information from those accounts.”
The company has not been clear on whether it has validated the data the threat actor leaked, noting that its investigation is ongoing and that it currently has “preliminary results.” A spokesperson for the company told WIRED that the leaked information is consistent with a situation in which some user accounts were exposed and then leveraged to scrape data visible in DNA Relatives. But when pressed on the details of whether the data has been validated, the spokesperson said that verifying the data is pending and that the company cannot currently confirm whether the leaked information is real.
This point is significant both for everyone whose information may have been compromised and because the data posted by the actor claims to include “celebrities.” Entries for technologists Mark Zuckerberg, Elon Musk, and Sergey Brin are all visible in the sample data, including “Profile ID,” “Account ID,” name, sex, birth year, current location, and fields known as “ydna” and “ndna.” It is unclear if the data for these entries is legitimate or was inserted. For example, Musk and Brin appear to have the same profile and account IDs in the leak.