Genetic testing company 23andMe has been investigating a security incident after hackers advertised a trove of alleged stolen user data on a hacking forum last week. But the alleged stolen data may have been circulating for much longer than first known.
TechCrunch has also found that some of the advertised stolen data matches known 23andMe user information.
On August 11, a hacker on a known cybercrime forum called Hydra advertised a set of 23andMe user data that matches some of the data leaked last week on another hacking forum called BreachForums.
The hacker claimed in the earlier post on Hydra to have 300 terabytes of stolen 23andMe user data, and said they contacted 23andMe, “but instead of taking the matter seriously, they asked irrelevant questions.” The hacker asked for $50 million for the data, and claimed they would only sell it once, but also offered to sell only a subset of data for between $1,000 and $10,000.
But at least one person saw the Hydra post and publicized it on the open internet long before news of the leak was reported last week. On the same day as the Hydra forum post, a Reddit user wrote on the 23andMe unofficial subreddit, alerting other users of the alleged breach.
In the Hydra post, the hacker shared the alleged genetic data of a senior Silicon Valley executive, which contained the same user profile and genetic data found in one of the datasets advertised last week on BreachForums, though the two datasets are structured differently. The datasets advertised on BreachForums allegedly contain one million 23andMe users of Jewish Ashkenazi descent and 100,000 23andMe Chinese users.
23andMe has repeatedly declined to confirm whether the leaked data is legitimate. The company declined to answer a series of questions for this story, including whether it was aware of this hacking forum post from two months ago.
Katie Watson, 23andMe’s spokesperson, told TechCrunch that “this matter is the subject of an ongoing investigation. We cannot comment further at this time.”
Do you have more information about the 23andMe incident? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram, Keybase, and Wire @lorenzofb, or email email@example.com. You can also contact TechCrunch via SecureDrop.
TechCrunch analyzed some of the allegedly stolen data by comparing it to known public genealogy records, such as those published online by hobbyists and genealogists. TechCrunch found several dozen records in the allegedly stolen data that match the same user profile and genetic information found in public genealogy records. This appears consistent with 23andMe’s statement that the stolen data was obtained from “certain accounts” by credential stuffing, a common hacking technique which consists of trying passwords for one service that have already been leaked or published online on another service, in hopes that the victim re-used a password.
Essentially, 23andMe is blaming users for re-using passwords, and saying the leak was caused by hackers getting into those users’ accounts and then scraping their data, including the victim’s relatives.
The company has also pointed to a specific feature that may explain how hackers amassed so much data. 23andMe has an opt-in feature called DNA Relatives, which allows users to appear in the accounts of other users who have also opted-in to the feature.
It’s unclear if all the advertised data is legitimate, or how much legitimate data hackers actually possess. It’s not uncommon for hackers to exaggerate what data they have in order to increase the chance of selling it on hacking forums.
In the meantime, 23andMe has prompted all users to reset and change their passwords, and encouraged them to turn on multi-factor authentication. TechCrunch spoke to two 23andMe users, one who received the password reset email, and one who didn’t. The latter was, however, forced to change their password when they went to log into their 23and me account.