23andMe Confirms Attackers Stole Raw Genotype Data in Massive Breach Months Ago

In a massive data security breach, 23andMe, a prominent direct-to-consumer genetic testing service, has confirmed that attackers successfully stole raw genotype data from millions of users several months ago. The company has notified affected users that the compromised information includes genotype data, health reports, and other sensitive details.

The breach, lasting for five months from late April 2023 through September 2023, resulted from a credential-stuffing attack rather than a direct intrusion into 23andMe's systems. The attackers exploited reused passwords, gaining unauthorized access to user accounts. According to the breach notification sent to impacted individuals, the threat actor capitalized on the fact that users employed the same login credentials on 23andMe.com as on other websites that had been previously compromised.

The investigation conducted by 23andMe revealed that the attackers were able to access users' uninterrupted raw genotype data and other sensitive information, including health reports, health-predisposition reports, wellness reports, and carrier status reports. This breach poses a significant risk, as it involves the exposure of highly personal and private genetic and health-related data.

Interestingly, in October of the previous year, a threat actor known as Golem claimed to have obtained data from seven million 23andMe users. The stolen data samples were shared on the cybercrime marketplace BreachForums, containing entries such as name, sex, age, location, and ancestry markers, including lineage, yDNA, and mtDNA haplogroups that trace paternal and maternal ancestry. Notably, one leak purportedly targeted one million Jewish Ashkenazi descent "celebrities," while another batch comprised over four million individuals, primarily from the United Kingdom. Although the original posts on the forum have been deleted, other forum members have continued to repost the data.

In response to the security incident, 23andMe took proactive measures by implementing multi-factor authentication for all users. This additional layer of security aims to enhance protection and mitigate the risk of unauthorized access, emphasizing the importance of safeguarding sensitive genetic and health information in an increasingly interconnected digital landscape. The breach serves as a reminder of the ongoing challenges companies face in securing user data and the critical role users play in maintaining strong, unique passwords across various online platforms.