California-based genetic testing company 23andMe has confirmed that the personal information of its customers, which was recently put up for sale on the black market, is indeed legitimate. However, the company maintains that its systems were not hacked. In a statement released on Friday, 23andMe said, “Following a claim that someone had gained access to and is selling certain 23andMe customer data, we conducted an investigation. We have not identified any unauthorized access to our systems. We will continue to monitor the situation.”
While the company’s physical servers may not have been compromised, it appears that the “threat actors” responsible for the data breach used recycled login credentials obtained from other online platforms to access some accounts, according to IT security outlet BleepingComputer. The compromised accounts were specifically those that had opted into 23andMe’s “DNA Relatives” feature, which allowed the hackers to scrape the data of their relative matches.
The first indication of trouble came on Monday when a hacker advertised “one million” lines of data related to Ashkenazi Jews. Two days later, the hacker began offering to sell data profiles in bulk, charging anywhere from $1 to $10 per account. The stolen data included full names, usernames, profile photos, birth dates, locations, and genetic ancestry results. This sensitive information could potentially be exploited by identity thieves and other malicious actors.
To mitigate the risks, 23andMe has urged its users to enable two-factor authentication, avoid reusing passwords, and reset their passwords if they suspect their data may be at risk.
23andMe is a major player in the genetic testing market, offering a range of services that includes discovering one’s ancestry and identifying genes associated with hereditary diseases and serious health conditions. The company’s name refers to the number of chromosome pairs in a diploid human cell.
Notably, in 2018, 23andMe formed a partnership with pharmaceutical giant GlaxoSmithKline. As part of the agreement, the company allowed GlaxoSmithKline to utilize the test results of five million customers to develop new medications, in exchange for a $300 million investment. This arrangement was extended through July 2023, with an additional investment of $50 million.
The recent data breach incident raises concerns about the security of sensitive personal information in the hands of genetic testing companies. It serves as a reminder for users to exercise caution when sharing their personal data online and to be vigilant about protecting their accounts and passwords.