23andMe says private user data is up for sale after being scraped

Genetic profiling service 23andMe has confirmed that personal person knowledge is circulating on the market on-line after being scraped off its web site.

Friday’s affirmation comes five days after an unknown entity took to an internet crime discussion board to promote the sale of personal info for millions of 23andMe users. The discussion board posts claimed that the stolen knowledge included origin estimation, phenotype, well being info, pictures, and identification knowledge. The posts claimed that 23andMe’s CEO was conscious the corporate had been “hacked” two months earlier and by no means revealed the incident.

23andMe officers on Friday confirmed that personal knowledge for a few of its customers is, the truth is, up on the market. The reason for the leak, the officers mentioned, is knowledge scraping, a way that basically reassembles giant quantities of information by systematically extracting smaller quantities of data obtainable to particular person customers of a service. Attackers gained unauthorized entry to the person 23andMe accounts, all of which had been configured by the person to decide in to a DNA relative function that enables them to search out potential kinfolk.

In a press release, the officers wrote:

We don’t have any indication right now that there was an information safety incident inside our methods. Reasonably, the preliminary outcomes of this investigation counsel that the login credentials utilized in these entry makes an attempt might have been gathered by a menace actor from knowledge leaked throughout incidents involving different on-line platforms the place customers have recycled login credentials.

We consider that the menace actor might have then, in violation of our phrases of service, accessed 23andme.com accounts with out authorization and obtained info from these accounts. We’re taking this subject significantly and can proceed our investigation to substantiate these preliminary outcomes.

The DNA relative function permits customers who decide in to view fundamental profile info of others who additionally enable their profiles to be seen to DNA Relative individuals, a spokesperson mentioned. If the DNA of 1 opting-in person matches one other, every will get to entry the opposite’s ancestry info.

The crime discussion board publish claimed the attackers obtained “13M items of information.” 23andMe officers have supplied no particulars concerning the leaked info obtainable on-line, the variety of customers it belongs to, or the place it’s being made obtainable. On Friday, The Record and Bleeping Computer reported that one leaked database contained info for 1 million customers of Ashkenazi heritage, all of whom had opted in to the DNA relative service. The Report mentioned a second database included 300,000 customers of Chinese language heritage who additionally had opted in.

The information included profile and account ID numbers, names, gender, beginning yr, maternal and paternal genetic markers, ancestral heritage outcomes, and knowledge on whether or not or not every person has opted into 23andme’s well being knowledge.

The Report additionally reported {that a} researcher just lately found a flaw on the 23andMe web site that enables individuals who know the profile ID of a person to view that person’s profile picture, identify, beginning yr, and placement.

By now, it has develop into clear that storing genetic info on-line carries dangers. In 2018, MyHeritage revealed that e-mail addresses and hashed passwords for greater than 92 million customers had been stolen by a breach of its community that occurred seven months earlier.
That very same yr, regulation enforcement officers in California mentioned they used a distinct family tree web site to track down a long-sought suspect in a string of grisly murders that occurred 40 years earlier. Investigators matched DNA left at a criminal offense scene with the suspect’s DNA. The suspect had by no means submitted a pattern to the service, which is named GEDMatch. As a substitute, the match was made with a GEDMatch person associated to the suspect.

Whereas there are advantages to storing genetic info on-line so folks can hint their heritage and monitor down kinfolk, there are clear privateness threats. Even when a person chooses a powerful password and makes use of two-factor authentication as 23andMe has lengthy urged, their knowledge can nonetheless be swept up in scraping incidents just like the one just lately confirmed. The one certain option to defend it from on-line theft is to not retailer it there within the first place.