23andMe, the company that is known for providing a direct-to-consumer genetic testing service in which customers provide a saliva sample to be analyzed, has been hacked.
The personal genomics and biotechnology company based in California, confirmed that it's aware of its user data being circulated on hacker forums.
At first, the hackers released 1 million lines of sample data belonging to Ashkenazi Jews people and hundreds of thousands of users of Chinese descent of the platform. But later, on October 4, the hackers offered to sell data profiles in bulk for $1-$10 per 23andMe account, depending on how many were purchased.
Because 23andMe deals with sensitive user information, the leaked data includes full names, usernames, profile photos, sex, date of birth, genetic ancestry results, and also geographical location.
A 23andMe spokesperson confirmed the data is legitimate.

The company blames the leak to credential-stuffing attack.
A spokesperson for the company explained that the threat actors were using previously exposed credentials that came from other breaches. The hackers gathered existing leaked credentials to access 23andMe accounts and steal the sensitive data.
"We were made aware that certain 23andMe customer profile information was compiled through access to individual 23andMe.com accounts," stated 23andMe's spokesperson
"We do not have any indication at this time that there has been a data security incident within our systems."
"Rather, the preliminary results of this investigation suggest that the login credentials used in these access attempts may have been gathered by a threat actor from data leaked during incidents involving other online platforms where users have recycled login credentials."
It's worth noting that the number of accounts sold by the hackers doesn't really reflect the number of 23andMe accounts breached using exposed credentials.
This happened because the hackers only managed to compromise accounts that had opted into the platform's 'DNA Relatives' feature, which allows users to find genetic relatives and connect with them.
The hackers accessed a number of 23andMe accounts, and then scraped the data of their DNA Relative matches.


While the data the hackers stole may not be useful for fueling future credential-stuffings attacks, but this data that is contained within is indeed sensitive to some people.
However, it's worth noting that the information does not appear to include actual, raw genetic data.
For example, details can include genetic ancestry results, like that someone is, "broadly European" or "broadly Arabian" descent.
But it can be significant, since the threat actors claimed that the data includes those belonging to "celebrities."
For example, entries for technologists include big names like Mark Zuckerberg and Sergey Brin.
23andMe said that the platform offers two-factor authentication as an additional account protection measure, and users should enable it.
The company also said that users should refrain from using weak passwords, and reusing passwords.
23andMe was founded by Anne Wojcicki, an entrepreneur, and the sister of Susan Wojcicki, CEO of YouTube who resigned in February 2023.













































































































































































































































































































































































