23andMe’s data breach has apparently gotten about four times worse, as millions more files have been leaked to a dark web hacking forum. It’s still not clear how many of these are full genetic profiles, however, as the hacker apparently used the “DNA Relatives” feature of the service to scrape more basic data points from connections to compromised accounts.
All of the leaked files appear to be from the same data breach, which looks to have taken place in or prior to August of this year; the hacker first tried to sell the stolen files before beginning to selectively leak them, accompanied by references to conspiracy theories. The new wave of files comes from users in the United Kingdom and Germany.
Five million leaked files include genetic profiles, but extent of stolen information still unclear
There are apparently at least some genetic profiles among the millions of stolen files, but 23andMe has not yet made clear how many. The company has said that the attacker got in via credential stuffing, which would suggest something substantially less than millions of accounts being part of the data breach. The reason for the initial failure to sell the files (and subsequent bizarre leaks) could be owed to most of them being DNA Relatives information sets that were not particularly interesting to criminals.
Regardless of the content of the data breach, it’s among the largest yet that includes genetic profiles. Other DNA testing centers and a main competitor of 23andMe (MyHeritage) have been hacked and lost millions of records, but generally those involving much less sensitive information. The hacker, going by “Golem” on underground forums, claims to have stolen 300 TB of data in total and about seven million total records.
DNA data breach focuses on the super-wealthy, royal families
After a failed attempt to sell the stolen files in August the hacker re-emerged some weeks later with claims of having a million genetic profiles of Ashkenazi Jews and members of the world’s “wealthiest families,” specifically referencing long-time conspiracy targets such as the Rockefellers and Rothschilds. The newest release promises information on the UK’s royal family.
23andMe has confirmed a data breach but has not yet confirmed the hacker’s claims, or that the genetic profiles they claim to have are legitimate. It has also not provided a number of victims as of yet. Assuming that the hacker holds legitimate data, it is possible for one compromised account to receive more limited information about up to 1,500 other people using the DNA Relatives program (though only people that have also opted into it). The attacker thus could have reached the numbers they claim to have with several thousand accounts compromised by credential stuffing, and it would also tie into the fact that the groupings of information that have been leaked are very geographically specific.
23andMe is already facing an assortment of class action suits over the data breach, with one suit seeking several thousand damages per claimant for most of its members. The damages could be strongly influenced by how many genetic profiles were actually leaked. In the meantime, customers of the service can opt out and have their data removed through a link in the app’s account settings.