The DNA testing company 23andMe is investigating whether a large trove of customer data was stolen from the company after information about the firm’s clients was offered for sale on a cybercrime forum earlier this week.
On Sunday, a post on a popular forum where stolen data is traded and sold claimed to have “the most valuable data you’ll ever see” and posted a link to a sample of what was described as “20 million pieces of data” from 23andMe.
In a statement to CyberScoop on Thursday, 23andMe said it was made aware that “certain 23andMe customer profile information was compiled through unauthorized access to individual 23andMe.com accounts” but that there is no “indication at this time that there has been a data security incident within our systems.”
The company said its preliminary investigation indicated that an attacker may have compiled login credentials leaked from other platforms and then recycled these credentials to access the accounts of 23andMe customers who had used the same username and password combination.
For accounts that had opted in to 23andMe’s “DNA Relatives” service — which allows users to “find and connect with genetic relatives and learn more about your family” — the attacker was able to scrape data associated with potential relatives, company officials told CyberScoop.
The officials said the information obtained may have included users’ display name, profile photo, profile sex, birth year, location, predicted relationships to their match, the percent DNA match and number of shared genetic segments and portions of their genetic ancestry results, including haplogroups, which provide information about ancestry.
The exact scope of the data obtained by the attacker remains unclear and CyberScoop has not been able to verify the authenticity of the data offered for sale.
After the data was first offered for sale on Sunday, the listing was pulled down. The poster reemerged on Wednesday offering what they described as data on “tailored ethnic groupings, individualized data sets, pinpointed origin estimations, haplogroup details, phenotype information, photographs, links to hundreds of potential relatives, and most crucially, raw data profiles.”
The seller offered the data in 100, 1,000, 10,000 and 100,000-profile batches. The seller claimed in a message to CyberScoop that they had 13 million profiles but did not respond to questions about when or how the data was accessed or whether they’d been in touch with 23andMe.