Illustrative editorial of two personal genome saliva collection kits from “23 and me”. Shutterstock/ Victor Moussa

Millions of data profiles from Silicon Valley-based genetic testing service 23andMe have appeared on an online selling forum for leaked data. While the data is thought to include names, locations and ethnicities of 23andMe users, it does not include genomic details.

23andMe release a statement on Friday (6 Oct) confirming that some “customer profile information” had been compiled “through access to individual 23andMe.com accounts,” but that the company itself had not been breached.

The hackers appeared to have used 23andMe’s DNA Relative’s tool, a feature which allows users to connect with potential relatives through their genetic profiles, to compile additional profiles.

Posts appeared online offering the data for sale at $1,000 for 100 profiles, or £100,000 for 100,000 profiles, with one post claiming to have compiled a database solely of those with Ashkenazi Jewish heritage.

23andMe said in its statement that hackers accessed user information through recycled login credentials – usernames and passwords, previously used on other websites, which had also been exposed in hacks – in a process called ‘credential stuffing’.

The genetics testing company reiterated that the company itself was not breached.

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData

Tick here to opt out of curated industry news, reports, and event updates from Verdict.

Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

“We do not have any indication at this time that there has been a data security incident within our systems, or that 23andMe was the source of the account credentials used in these attacks,” the company said in its statement.

The 23andMe hack is one of a number of high-profile US breaches in recent weeks. Both MGM Resorts International and Caesars Entertainment were targeted earlier this month.

Caesars disclosed it quietly paid $15m to hackers who had breached its customer loyalty database, negotiated down from the initial $30m demand.

MGM went the opposite route, refusing to pay hackers who took over its Okta authentication servers. The result was a multi-system outage that affected everything from reservation systems and digital room key processes to casino floor operations for at least ten days.