4.1 million stolen 23andMe genetic data profiles for individuals in Great Britain and Germany have been released by a hacker on a hacking forum.
Earlier this month, a malicious actor exposed the data of 1 million Ashkenazi Jews who had used 23andMe services to explore their ancestral heritage and genetic predispositions.
23andMe confirmed to that this data was acquired through credential stuffing attacks targeting accounts with weak passwords or credentials exposed in previous data breaches. The company reports that no proof of a security breach exists within their IT systems.
A limited number of accounts were compromised, but these users had opted for the 'DNA Relatives' feature, which enabled the threat actor to scrape data from millions of individuals.
Furthermore, an additional 4.1 million data profiles have been disclosed. Yesterday, an individual known as 'Golem,' purportedly responsible for the 23andMe breaches, released these profiles on the BreachForums hacking forum.
Within this new release, there are 4,011,607 data entries for individuals residing in Great Britain. The threat actors allege that the stolen data includes genetic information related to the royal family, the Rothschilds, and the Rockefellers.
The hackers stated in a forum post, "You can find prominent individuals residing in the US and Western Europe within this list."
Yesterday, the same hacker shared an additional CSV file containing the genetic data of 139,172 individuals living in Germany.
It’s been reported that some of the recently leaked data from Great Britain has been cross-referenced and found to correspond with known public user and genetic information.
Some of the leaked 23andMe data was previously offered for sale in August 2023 on the now-defunct Hydra hacking forum. The threat actor had claimed to have acquired 300 terabytes of data at that time.
The individual behind the BreachForums posting also asserts ownership of "hundreds of terabytes of data," strongly suggesting that this comprises the same stolen data.
Given the volume of allegedly stolen information, it is probable that we will witness additional data disclosures as the threat actor endeavours to generate adequate interest among potential buyers.
Despite 23andMe's assertion that only a small fraction of customer accounts were compromised, the inclusion of the DNA Relatives feature significantly amplified the scope of this data leak.
These breaches have already resulted in numerous lawsuits against 23andMe, alleging a lack of transparency regarding the breach and a failure to adequately safeguard customers' data.
