Back in 2018, a website called MyHeritage was hacked, and even though “only” usernames and passwords of its 92 million customers were stolen at the time, we considered the nightmare scenario of DNA information on 92 million people being stolen. Five years later, that nightmare has been (sorta) realized as DNA testing firm 23andMe confirmed that hackers have breached and exposed an undisclosed number of customer records that includes broad genetic data, phenotypes, health information, photos and other personal identification data.
What this means for you
While 23andMe’s own statement is fairly vague and details are “pending investigation”, the hackers who have put the data up for sale on the dark web claim to have 13 million records, and also accuse the company management of hiding the breach and capitalizing on the timing of the announcement to sell company stock ahead of an anticipated market blowback in response to the Oct 6 announcement of the breach. As of now, the company has not responded to these accusations and so far, the hacker’s claims haven’t been verified. Clearly, if you have used 23andMe any time before Oct 6, you may want to pay close attention to their ongoing efforts. On top of this dystopic news, it also appears that the hackers are packaging the data for sale based around ethnic groups, such as 1M record set of Ashkenazi Jews and another database of 300k Chinese users. As part of the dark web marketing hype pimping the sale, the hackers claim that the datasets include celebrities, business magnates and “dynasties often whispered about in conspiracy theories,” whatever that’s supposed to mean.
More importantly, it seems that the hackers managed to amass this data through an attack known as credential stuffing whereby they used “recycled passwords” that were compromised in other breaches, and – surprise, surprise! – they also worked on 23andMe. You know what I’m driving at: people re-used passwords, and since most websites now use email addresses as the login, recycled passwords led to yet another data breach, and this time it has exposed what might be considered the most sensitive of data.