Millions of data profiles from Silicon Valley-based genetic testing service 23andMe have appeared on an online selling forum for leaked data. While the data is thought to include names, locations and ethnicities of 23andMe users, it does not include genomic details.
23andMe release a statement on Friday (6 Oct) confirming that some “customer profile information” had been compiled “through access to individual 23andMe.com accounts,” but that the company itself had not been breached.
Go deeper with GlobalData
Access deeper industry intelligence
Experience unmatched clarity with a single platform that combines unique data, AI, and human expertise.
The hackers appeared to have used 23andMe’s DNA Relative’s tool, a feature which allows users to connect with potential relatives through their genetic profiles, to compile additional profiles.
Posts appeared online offering the data for sale at $1,000 for 100 profiles, or £100,000 for 100,000 profiles, with one post claiming to have compiled a database solely of those with Ashkenazi Jewish heritage.
23andMe said in its statement that hackers accessed user information through recycled login credentials – usernames and passwords, previously used on other websites, which had also been exposed in hacks – in a process called ‘credential stuffing’.
The genetics testing company reiterated that the company itself was not breached.
US Tariffs are shifting - will you react or anticipate?
Don’t let policy changes catch you off guard. Stay proactive with real-time data and expert analysis.
By GlobalData“We do not have any indication at this time that there has been a data security incident within our systems, or that 23andMe was the source of the account credentials used in these attacks,” the company said in its statement.
The 23andMe hack is one of a number of high-profile US breaches in recent weeks. Both MGM Resorts International and Caesars Entertainment were targeted earlier this month.
Caesars disclosed it quietly paid $15m to hackers who had breached its customer loyalty database, negotiated down from the initial $30m demand.
MGM went the opposite route, refusing to pay hackers who took over its Okta authentication servers. The result was a multi-system outage that affected everything from reservation systems and digital room key processes to casino floor operations for at least ten days.
