From early August through October, genetics testing firm 23andme and its users were subject to dark web posts regarding millions of user profiles and genetic data records that cybercriminals leaked or breached. Threat actors have advertised various collections of the data records from the leaks for sale.
According to BleepingComputer, and based on input from 23andme, the threat actor accessed some of the company’s user accounts through credential stuffing and then scraped the data of their DNA Relative matches. According to 23andme, the DNA Relatives feature lets participants connect with genetic relatives. It identifies relatives and recent common ancestors through DNA comparisons between participants; then, users can download their data.
According to the 23andme blog, the company believes criminals injected reused credentials from other breaches to gain access to its users’ accounts. According to the same post, 23andme does not have any indication of a data security incident within its systems, or that it was the source of the account credentials used in these attacks.
According to a DarkOwl blog, on August 11, a user with the alias Dazhbog claimed on the Hydra dark web market to have 10 million DNA records from 23andme for sale. The poster said they had more than 300TB of data, which they would sell for $50 million. DarkOwl is a darknet intelligence provider.
According to the DarkOwl blog, Dazhbog claimed the theft of the 23andme user data came through an API service pharmaceutical companies used. Posting again on August 14, Dazhbog claimed to have sold all the data to an Iranian individual. Dazhbog made no further posts.
There is an apparent contradiction between reports from TechCrunch and DarkOwl that Hydra Market was active in August and the BBC News report that law enforcement shut the Hydra Market down in April. However, according to the BBC story, law enforcement feared this wouldn’t end the Hydra cybercrime group; unless they could find and arrest them, they would probably try to build a new platform.
According to the TechCrunch article and based on its analysis, the data set from the August 11 Hydra post matched some user records leaked the first week of October.
On October 2, a threat actor using the alias Addka72424 posted a link to a database on the BreachForums dark web market, according to the BleepingComputer article. The database purportedly contained a million user profiles of Ashkenazi people from the genetic testing firm 23andme. Addka72424 said the link came from an earlier post by the user Golem.
According to a RecordedFuture post, on October 3, user Golem posted a database of 7 million 23andme user files to the BreachForums site. The posted database links had 300,000 records of people of Chinese ethnicity, and another million of Ashkenazi descent.
According to the BleepingComputer article, in a post dated October 4, the BreachForums poster Golem claimed to have data including “tailored ethnic groupings, individualized data sets, pinpointed origin estimations, haplogroup details, phenotype information, photographs, links to hundreds of potential relatives, and most crucially, raw data profiles.” A 23andme spokesperson confirmed the validity of the data, according to the BleepingComputer article.
Threat actors downloading or purchasing the stolen data could target ethnic groups with hate-based fraud, phishing, scams, identity theft, or worse, according to dark web expert Luke Rodeheffer, a Certified Information Systems Security Professional (CISSP) and founder and CEO of AlphaCentauri Cyber, a cyber threat intelligence and dark web investigations firm.
According to TechCrunch, the threat actor Golem posted 4.1 million additional data profiles on October 17. According to BleepingComputer, the new BreachForums post contained records that include people in Great Britain and Germany. According to the DailyMail, the threat actor targeted the U.K. and Germany for supporting Israel.
On November 2, in response to a request for comment, Andy Kill, 23andme communications director, repeated statements from the company’s disclosure on its blog.
In the same 23andme blog about the leaked data, the firm said that users should use two-factor authentication and not reuse passwords from other sites. The genetic testing firm continues to affirm it was not the subject of a data breach and that there was no internal system or security issue.
According to attorney Alessandra Messing, a 23andme consumer affected by the breach, 23andme has not taken the level of responsibility it should, given the sensitive nature of the information it collects and analyzes.
“It is a little tone-deaf to have had this breach take place, and then kind of shift responsibility to consumers and not take responsibility or have any level of accountability,” Messing said.
In a letter dated October 20 and available on Senate.gov, Senator Bill Cassidy (LA-R), a ranking member of the Senate Health, Education, Labor, and Pensions Committee and a physician, questioned 23andme CEO Anne Wojcicki regarding the breach, asking her to respond by November 3.
The senator’s questions referenced the data leak of 1.3 million Ashkenazi and Chinese customers, affirming that 23andme had not provided a date or details about when criminal hackers first exploited a vulnerability in its systems. The senator noted the leak came at a time when there is growing global antisemitism and anti-Asian hate, and criminals can get higher prices for the information and increase the threat from potential evildoers. Cassidy followed up with 11 questions for 23andme about how it protected user information and how the breach was possible.
There are at least 16 proposed U.S. class action suits against 23andme as a result of the breach, according to HealthcareInfoSecurity. In the class action suit Tulchinsky v. 23andme, inc., attorneys from Reese LLP state that the complaint was brought against 23andme for failing to secure and safeguard the personally identifiable information (PII) of the plaintiff and the members of the class stored within the defendant’s information network.
“Genetics testing firm 23andme has a legal obligation to safeguard the data under HIPAA, the CCPA, GDPR, and other regulations. It has a legal obligation to disclose to investors regarding incidents and risks that could affect the viability of their investments,” said Paul Valente, CEO and co-founder of VISO TRUST, an AI-powered third-party cyber risk management company.
“Large-scale password attacks, such as stuffing and spraying, are nothing new; they have been commonplace for almost a decade. For any qualified security team, such attacks are neither unanticipated nor undetectable,” said Valente. “While it’s easy to blame the compromise of a handful of accounts on password reuse and subsequent compromise, exposing millions of accounts to password stuffing would be a clear sign of potential negligence.”
According to Adhiran Thirmal, senior solutions engineer at Security Compass, a secure software design firm, ultimately, whether a company is liable for using internal cybersecurity measures that protect data regardless of whether consumers reuse passwords is a question that the courts must decide on a case-by-case basis.
No one has confirmed whether the credentials that threat actors stuffed at 23andme came from breaches at other organizations.
Regarding the class action suit, per the docket via https://dockets.justia.com/docket/california/candce/5:2023cv05369/419693, the case was filed on October 19, 2023 in the U.S. District Court for the Northern District of California. The presiding judge is Susan van Keulen. On October 20, the court issued a summons to 23andme, Inc.
A case management statement is due by January 16, 2024, and an initial case management conference is set for January 23.
David Geer is a journalist who focuses on issues related to cybersecurity. He writes from Cleveland, OH, USA.
Join the Discussion (0)
Become a Member or Sign In to Post a Comment