Cybercrim claims fresh 23andMe batch takes leaked records to 5 million

2023-10-19 16:00

23andMe told The Reg: "We are aware that the threat actor involved in this investigation posted what they claim to be additional customer DNA Relative profile information. We are currently reviewing the data to determine if it is legitimate. Our investigation is ongoing and if we learn that a customer's data has been accessed without their authorization, we will notify them directly with more information."

Golem posted a link to what was advertised as a trove of 1 million records of 23andMe profiles including Ashkenazi Jewish markers to BreachForums on October 2.

DNA Relatives is a major selling point for the company's service that allows users to be paired up with other users if they share a portion of their DNA, and 23andMe offers a prediction of the most likely relation you are to a paired user.

Even if an account wasn't itself compromised through the credential stuffing attacks, because it opted into DNA Relatives and had its DNA Relatives profile attributes shared with accounts that were accessed, it means a wide range of individuals' data could be accessed through one compromised 23andMe account.

Among many other matters, that 23andMe disregarded the rights of its users by failing to adequately secure its data systems against unauthorized intrusions and monitor its network to discover the intrusion sooner.

The claims made in Andrizzi vs 23andMe, Lamons vs 23andMe, and J.S. vs 23andMe were also very similar in nature.

News URL

https://go.theregister.com/feed/www.theregister.com/2023/10/19/latest_23andme_data_leak_takes/

#23andme #leaked