Share this article on:
The credential stuffing attack revealed in October 2023 lasted from 29 April to 27 September, with millions of accounts compromised.
More details have come to light regarding an October credential stuffing attack that exposed the personal information of millions of 23andMe customers online.
The genetic testing company has revealed more details of the hack in a letter sent to its customers, and seen by Bleeping Computer.
The data was originally posted on a popular clear web hacking forum, in a post that made note of the data belonging to at least 1 million individuals with an Ashkenazi Jewish background. A further 4 million users in the United Kingdom also had their data compromised in the attack.
“Our investigation determined that a threat actor accessed certain information about your ancestry that you chose to share in our Family Tree profile, specifically your display name, relationship labels, and percentage DNA you share with the credential stuffed account holder through which your information was accessed,” 23andMe said in its customer letter.
The compromised data was also posted for sale on the 23andMe subreddit and on at least one other hacking forum.
“We have identified other websites where the DNAR Profile File has been re-posted,” 23andMe said. “23andMe is taking steps to have the re-posted DNAR Profile File removed from other websites.”
The DNAR Profile File contains “customers’ DNA Relatives profile information”.
The initial access to 23andMe’s records was made by using login details that had been previously shared online, which, in turn, allowed the user to link to several different accounts, scraping the data from each in turn.
23andMe still maintains that only customer accounts were compromised in this manner; no internal networks were affected, and these remain secure.
Since the initial breach, 23andMe has forced all customers to reset their passwords, and the company has engaged “third-party security experts” to assist with investigations into the incident. On 6 November 2023, the company also required all new and existing users to set up multifactor authentication.
“While we continue our investigation, we have also temporarily paused certain functionality within the 23andMe platform,” 23andMe said. “We are also taking steps to have the re-posted DNAR Profile File removed from other websites.”
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.