)
Cybersixgill observed threat actors advertising the stolen data of millions of customers of 23andMe, a genetic testing and ancestry platform. While the ads first appeared in October 2023, 23andme recently disclosed the breach in a Securities and Exchange Commission filing, appearing to confirm the authenticity of the leak. In addition to the original ads for the 23andMe data, Cybersixgill detected threat actors continuing to seek the information months after the initial leak.
THE HEADLINE
On December 1, 2023, the direct-to-consumer genetic testing company 23andMe disclosed in a Securities and Exchange Commission (SEC) 8-K2 filing that it learned on October 10, 2023, a threat actor had accessed and downloaded “certain user profile information.” The filing was an official admission by 23andMe confirming a data leak it first acknowledged on October 6, 2023.
Several days before that, Cybersixgill observed a threat actor advertising data from 23andMe users on a popular cybercrime site. Among the data stolen from 23andMe users was genetic information, ancestry data, names, photos, birthdates, family relationships, locations, and ethnicities. 23andMe identified credential stuffing as the attack vector for initial access, a technique that targets email, social media, and banking accounts, relying on the fact that people repeatedly use the same passwords. When threat actors find a match, they log in and steal data for additional malicious activity. Following the 23andMe breach, it was reported that the company’s competitors, including Ancestry and MyHeritage, began requiring multi-factor authentication (MFA).
According to a 23andMe spokesperson, around 6.9 million users in total had some combination of the aforementioned personal data accessed by threat actors. This figure was much larger than the estimate in the SEC filing, in which 23andMe stated that the threat actor accessed 0.1% of user accounts, which translates to around 14,000 customers. The discrepancy apparently resulted from the difference between the number of accounts directly compromised and the total number of accounts with data stolen, which included the accounts of “relatives” who were linked to direct victims via 23andMe’s DNA Relatives feature.
By leveraging the DNA Relatives feature, attackers were allegedly able to access not only the personal information of compromised accounts, but also additional 23andMe customers who connected with users identified as genetic relatives. As such, the accounts of users who were not directly compromised potentially had data stolen via compromised accounts.
While the breach raises significant questions about 23andMe's security posture and ability to protect sensitive user information, the incident is yet another example of the catastrophic consequences of users falling to select strong and unique passwords. Earlier in 2023, a similar attack hit Freecycle.org, which hosts over 10 million members across the globe. The Cybersixgill Investigative Portal detected threat actors advertising the Freecycle data prior to the company posting a breach notice, which instructed all users to change passwords on all sites on which they reused Freecycle passwords.
DIVING DEEPER
Cybersixgill collected the initial posts on which a threat actor claimed the data included DNA of celebrities. It also claimed to possess genomic ancestry data related to Jews of Ashkenazi descent and records related to Chinese users, asking buyers for $1-$10 per record.
An open source (OSINT) news site analyzed the 23andMe leaked data, discovering that some of it matched previously published genetic data available online, which appeared to confirm the authenticity of at least a portion of the 23andMe content.
Following a flurry of posts advertising the 23andMe data, Cybersixgill observed sustained demand and interest in the content.
TAKEAWAYS
The 23andMe breach continues to attract attention, both on the underground and in the mainstream media. Indeed, threat actors continue to seek the data on cybercrime forums and Telegram channels. Based on the type of data that was stolen, threat actors could likely use the information for a variety of malicious purposes.
In view of the demand for sensitive information on underground markets and forums, and the threat that related phishing attacks pose, all organizations should instruct employees not to click on links or attachments in suspicious emails. Specifically, users should double-check email senders’ identities before opening attachments or clicking links. They should also remain vigilant with regard to misspelled URLs to avoid entering credentials into fraudulent websites.
Finally, organizations should instruct personnel to exercise additional caution when using MFA codes for corporate services.
)
)
)
)