23andMe acknowledged this week that user data from its genetic testing and analysis platform has been circulating on dark web forums after what it says was a credential stuffing attack. according beepcomputer. The outlet wrote that a hacker reportedly leaked what he said was “1 million lines of data” to Ashkenazi Jews before saying he would sell the data he had stolen for between $1 and $10 per account. The data includes usernames, profile photos, genetic ancestry results, date of birth, and geographic location.
In a statement provided to beepcomputer, the company confirmed that the data is legitimate, but says that the attackers had not breached its internal systems. According to the company, “preliminary results from this investigation suggest that the login credentials used in these access attempts may have been collected by a threat actor from data leaked during incidents involving other online platforms where users have recycled the login credentials.” beepcomputer reports that while the initial attack was based on passwords shared with accounts from previously compromised services, much of the leaked data was extracted from additional accounts using one of 23andMe’s own features, called ‘DNA Relatives’.
There may be up to 7 million accounts for sale, PCMag reported on Wednesday, citing a Dark Web Informer post who shared screenshots of another now-deleted hacker forum post. That’s about half of the total number of users on the 23andMe platform. According ArsTechnica, The hackers claimed that 23andMe’s CEO was aware of the leaked data two months earlier, but did not disclose the incident.