Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Privacy Security

Hacker Leaks Millions More 23andMe User Records On Cybercrime Forum (techcrunch.com) 20

An anonymous reader quotes a report from TechCrunch: The same hacker who leaked a trove of user data stolen from the genetic testing company 23andMe two weeks ago has now leaked millions of new user records. On Tuesday, a hacker who goes by Golem published a new dataset of 23andMe user information containing records of four million users on the known cybercrime forum BreachForums. TechCrunch has found that some of the newly leaked stolen data matches known and public 23andMe user and genetic information. Golem claimed the dataset contains information on people who come from Great Britain, including data from "the wealthiest people living in the U.S. and Western Europe on this list."

On October 6, 23andMe announced that hackers had obtained some user data, claiming that to amass the stolen data the hackers used credential stuffing -- a common technique where hackers try combinations of usernames or emails and corresponding passwords that are already public from other data breaches. In response to the incident, 23andMe prompted users to change their passwords and encouraged switching on multi-factor authentication. On its official page addressing the incident, 23andMe said it has launched an investigation with help from "third-party forensic experts." 23andMe blamed the incident on its customers for reusing passwords, and an opt-in feature called DNA Relatives, which allows users to see the data of other opted-in users whose genetic data matches theirs. If a user had this feature turned on, in theory it would allow hackers to scrape data on more than one user by breaking into a single user's account.

This discussion has been archived. No new comments can be posted.

Hacker Leaks Millions More 23andMe User Records On Cybercrime Forum

Comments Filter:
  • No Hacker Needed (Score:4, Informative)

    by WankerWeasel ( 875277 ) on Wednesday October 18, 2023 @04:52PM (#63935449)

    The CEO of 23andMe is the wife of one of the founders of Google. From the start, all users agree to have their DNA information shared with folks like Google. How do you think DNA testing was being done so cheap? They make money off the customer information (including their DNA).

    • How does google monetize DNA ?
    • Re:No Hacker Needed (Score:5, Interesting)

      by Tony Isaac ( 1301187 ) on Wednesday October 18, 2023 @05:40PM (#63935563) Homepage

      Having managed the software dev team at a competing DNA lab, I can tell you that DNA tests are *actually* that cheap. We offered several levels of tests, each higher level including larger numbers of data points. For us, the tests were so cheap that we tested everybody at the highest level, even if they bought the lowest level test. We would then try to up-sell them on the larger test arrays. If they paid the extra money, we would literally check a box on their profile, and the results would appear. There was a fake delay added to the process to make the customer think that some kind of "processing" was being done. Yeah, it's really that cheap.

  • by King_TJ ( 85913 ) on Wednesday October 18, 2023 @04:56PM (#63935463) Journal

    "23andMe blamed the incident on its customers for reusing passwords, and an opt-in feature called DNA Relatives, which allows users to see the data of other opted-in users whose genetic data matches theirs."

    You know? If 24andMe properly encrypted all of the data? A hacker breaking in wouldn't be able to actually DO anything useful with a database of information they managed to download via a hack.

    It sounds to me like users resetting their passwords and enabling MFA wouldn't do any good, if that's how this was obtained. And I'm finding it a little hard to believe that this many millions of records were just siphoned off one by one, by a hacker successfully logging in as a legitimate customer, grabbing their info, and then maybe grabbing that of some opted-in "DNA relatives" too?

    • The data was being made available to the user on the front end so you can't encrypt fully when in the end its going to be clear text in a browser for a user to see their relatives whom opted in to let people see their info. Any data that wasn't meant to be seen by the authenticated user of course shouldn't be present.
    • by quantaman ( 517394 ) on Wednesday October 18, 2023 @06:29PM (#63935693)

      "23andMe blamed the incident on its customers for reusing passwords, and an opt-in feature called DNA Relatives, which allows users to see the data of other opted-in users whose genetic data matches theirs."

      You know? If 24andMe properly encrypted all of the data? A hacker breaking in wouldn't be able to actually DO anything useful with a database of information they managed to download via a hack.

      It sounds to me like users resetting their passwords and enabling MFA wouldn't do any good, if that's how this was obtained.

      It is was obtained through credential stuffing then the info was obtained by logging into customer accounts, using their username and password, and scraping the info presented there.

      Their servers were not breached and server side data (which probably is properly encrypted) was never stolen.

      Password resets and MFA are exactly how you'd fix this.

      And I'm finding it a little hard to believe that this many millions of records were just siphoned off one by one, by a hacker successfully logging in as a legitimate customer, grabbing their info, and then maybe grabbing that of some opted-in "DNA relatives" too?

      On this part I'm also a little dubious.

      4 million does sound like a lot of accounts to have been compromised through credential stuffing. However, the "DNA relatives" feature might have jacked this number quite a bit, and for a big website 4 million might not be out of line for credential stuffing.

      If it is in fact credential stuffing it's hard to blame 23 and me too much. The only things I think they could have changed are.

      1) Force MFA by default (though as non-financial that may be considered overkill and user nuisance).
      2) This attack was probably coupled with a surge of traffic and failed logins as the hackers started going through their database of credentials. If their admins saw the suspicious pattern they could have pulled a mass reset earlier.

  • This is like "jaywakers" and "litterbugs" (both terms invented by car and plastic industries, respectively) to blame others for their poor practices. I'll bet 23andMe was compromised to get this much data exfiltrated all at once. Slimy bastards.

    • by PPH ( 736903 )

      This is like "jaywakers"

      Not really. The term originated as jay drivers [wikipedia.org] and was only extended to pedestrians later on. It has remained in use (unlike jay driver) because proper vehicular operation was codified into law and explicitly named. Obviating the need for a catch-all term like there still is for unruly pedestrians.

  • Hacker Leaks Millions More 23andMe User Records

    Company renames itself, "Millions and Me" and adjusts its Privacy and Data Sharing policies accordingly.

  • The ambiguous results could result in...someone assuming I am a distant relative.
  • Hackers breaking into these systems and stealing stuff. Someone needs to sue the companies big time for not protecting our sensitive data.
  • It took me about a minute to decide that letting a company have my dna records is a bad idea. Even if they swore on a stack of bibles that they wouldn't do anything naughty with it I wouldn't trust them. Not to mention the FBI would be able to subpoena the data to link me to my victims.

This restaurant was advertising breakfast any time. So I ordered french toast in the renaissance. - Steven Wright, comedian

Working...