23andMe user data stolen in credential-stuffing attack
US-based Biotech firm known for its DNA testing kits, has confirmed that its user data is circulating on hacker forums
image for illustrative purpose
San Francisco: US-based biotech company 23andMe, known for its DNA testing kits, has confirmed that its user data is circulating on hacker forums, attributing the leak to a credential-stuffing attack.
According to BleepingComputer, a hacker recently leaked samples of data that was stolen from a genetics firm and, after a few days, offered to sell data packs belonging to 23andMe customers.
A credential-stuffing attack involves obtaining previously compromised user information (for example, usernames and passwords) from one organisation and attempting to reuse it with a second organisation.
According to the report, the threat actor released 1 million lines of data for Ashkenazi people in the initial data leak. However, on October 4, the hacker offered to sell data profiles in bulk for $1-$10 per 23andMe account, depending on the number of accounts purchased.
"We were made aware that certain 23andMe customer profile information was compiled through access to individual 23andMe.com accounts. We do not have any indication at this time that there has been a data security incident within our systems," a 23andMe spokesperson was quoted as saying.
"Rather, the preliminary results of this investigation suggest that the login credentials used in these access attempts may have been gathered by a threat actor from data leaked during incidents involving other online platforms where users have recycled login credentials," it added.