Second Wave of 23andMe Data Leaks Sparks Renewed Concerns

Just two weeks after an initial data leak, 23andMe, the popular genetic testing company, has faced another significant breach. The hacker, identified only as "Golem," has released millions of additional user records. The new data set, containing records for approximately 4 million users, was posted on a notorious cybercrime forum known as BreachForums. This raises further questions about the extent of the data breach and the measures taken by 23andMe to secure user information and prevent future hacks.

The New Leak

On Oct. 17, the hacker Golem published this second set of data on BreachForums, a platform well-known for its cybercrime activities. TechCrunch confirmed that some of this newly-released data correlates with public 23andMe user and genetic information. The hacker specified that this new leak includes information about people from Great Britain and claimed it involves data from "the wealthiest people living in the U.S. and Western Europe." The leaked data does not include genetic data but does include users’ display name, sex, birth year and details about some results of the genetic ancestry test.

Company Response

Andy Kill, a spokesperson for 23andMe, told TechCrunch that the company became aware of this latest leak on the same day it was made public. 23andMe is currently scrutinizing the leaked data to confirm its authenticity. On October 6, the company informed the public of the first breach, attributing it to credential stuffing—a technique where hackers use combinations of publicly available usernames or emails and passwords.

Measures and Blame

After the first incident, 23andMe urged its users to change passwords and enable multi-factor authentication. In an unusual move, the company partially blamed the leak on its users for reusing passwords and for an opt-in feature called DNA Relatives, which, if enabled, could theoretically allow hackers to collect data from multiple users via a single compromised account.

Unanswered Questions About the Breach

Numerous uncertainties persist about this breach, including:

• The actual technique used by the hackers to steal the data
• The total amount of stolen user data
• The hackers' intentions regarding the use of this data

Previous Indications

An important detail is the revelation that an individual on another cybercrime forum named Hydra had advertised 23andMe user data as early as August 11. TechCrunch analyzed this data, finding some overlap with the records leaked two weeks prior. The individual claimed to have 300 terabytes of user data, although there is no evidence to substantiate this claim.

With two significant data leaks in a short period, trust in 23andMe is shaken. The latest release of 4 million additional records amplifies concern over how much user data has been compromised and what safeguards the company has in place to protect its users. Until these questions are answered, the full scope of this breach remains unclear, making it a challenging period for 23andMe and its user community.

For further information on this breach and what it may mean, you can try these articles:

https://www.eff.org/deeplinks/2023/10/what-do-if-youre-concerned-about-23andme-breach

https://www.wired.com/story/23andme-credential-stuffing-data-stolen/