Details of The Story
In a disturbing development, a large amount of data from the genetic testing service, 23andMe, has been compromised and circulated on the dark web. What appears to be a meticulous campaign targeting individuals of Ashkenazi Jewish descent has now come to light, with close to a million users’ sensitive data exposed.
The database on the dark web was titled “Ashkenazi DNA Data of Celebrities,” it contains information of around 999,999 individuals who have apparently used 23andMe’s service. While it claims to expose celebrities, the majority are regular users. What binds them together is their Ashkenazi lineage.
Included in the leak are names, gender, and 23andMe’s evaluations of their genetic heritage. This breach has raised alarms, with some wondering what Hitler could have done if he had information like this.
23andMe’s preliminary investigations suggest this isn’t a case of the company’s systems being directly hacked. Rather, the perpetrators may have accessed users’ passwords leaked from other sites, exploiting 23andMe’s feature that provides vast access to each other’s genetic data. The data seems to be scraped from users who had opted for the platform’s ‘DNA Relatives’ feature, emphasizing the unintended privacy consequences of such choices.
Interestingly, the cyberattack seems to be part of a broader sale campaign. A cybercriminal had offered data in bulk, ranging from $1-$10 per 23andMe account, based on purchase volume. While 23andMe has not identified an internal data security breach, they have acknowledged that the login credentials used in these access attempts likely came from external data leaks.
The data leak exposes users to potential cyber threats, extortion attempts, and identity theft. Genetic information is especially sensitive; once it’s out, it’s virtually impossible to change or retract.
To prevent such breaches in the future, users are advised against password reuse, a common pitfall. Employing strong, unique passwords for each online account is paramount. Additionally, 23andMe offers two-factor authentication, a security measure every user should activate.
This breach is a clear warning sign to organizations to prioritize the security and integrity of personal data. Organizations like 23andMe must view cybersecurity as a continuous process, adopting solutions such as Penetration Testing as a Service (PTaaS) and other continuous and proactive solutions in order to identify vulnerabilities on a continual basis. Until organizations take security seriously, these breaches will continue to happen.
