In a chilling revelation, an additional 4.1 million stolen 23andMe genetic data profiles of individuals from Great Britain and Germany have been leaked on a hacking forum. This follows a preceding leak earlier this month, where data of 1 million Ashkenazi Jews was compromised by threat actors. These individuals had utilized 23andMe services to trace their ancestry and assess genetic predispositions. The breach has not only violated the privacy of millions but also ignited a series of lawsuits, underscoring the exigent need for bolstered data security.

The Genesis of the Breach

23andMe disclosed that the data pilferage was orchestrated through credential stuffing attacks, targeting accounts with weak passwords or credentials previously exposed in unrelated data breaches. Notably, the company asserted the absence of a security incident within their IT infrastructure. Despite the assurances, the reality remains that a vast amount of sensitive genetic data has found its way into the wrong hands.

The facet exacerbating the data breach’s magnitude is the ‘DNA Relatives’ feature, opted into by a limited number of accounts. This feature became the gateway for the threat actor to scrape millions of individual data, amplifying the impact of the breach manifold.

An Escalating Threat

In a recent development, a threat actor going by the alias ‘Golem’, purportedly the mastermind behind the 23andMe attacks, leaked an additional 4.1 million data profiles on the BreachForums hacking forum. This leak includes a staggering 4,011,607 lines of 23andMe data pertaining to individuals residing in Great Britain. Following this, another CSV file containing the data of 139,172 individuals from Germany was released.

Golem brazenly claimed the stolen dataset includes genetic information on notable figures such as the royal family, the Rothschilds, and the Rockefellers, although this claim remains unverified. The threat actor boasted about having “hundreds of TBs of data,” indicating a vast reservoir of stolen information, poised for potential future leaks.

Verifying the Veracity

A portion of newly leaked British data has been verified, confirming its authenticity. Previously, some of the 23andMe data was reportedly up for sale on the now-defunct Hydra hacking forum in August 2023. The threat actor had then claimed possession of 300 terabytes of stolen data, a claim that echoes Golem’s recent assertions on BreachForums.

Legal Repercussions and Future Anticipations

The data leaks have spurred a slew of lawsuits against 23andMe, with claimants alleging inadequate information dissemination regarding the breach and insufficient measures to protect customer data. The litigation landscape is likely to become more convoluted as additional data leaks potentially surface.

It is becoming more and more clear that organizations cannot survive without extensive cybersecurity measures, to learn more about TrollEye Security’s Cyber Risk Management Services, click here.