Cybercrim claims fresh 23andMe batch takes leaked records to 5 million

Trending 1 month ago

A cybercriminal claims they've uploaded a 2nd batch of stolen floor plan information from biotech institution 23andMe, posting it to nan aforesaid cybercrime forum that hosted nan first batch 2 weeks ago.

The individual who uses nan othername "Golem" has uploaded an further 4.1 cardinal records of chiefly UK users successful what appears to beryllium different religiously motivated endeavor.

The first leak astatine nan commencement of October contained 1 cardinal records of group whose DNA included Ashkenazi Jewish markers – an evident targeting of nan taste group, whose familial information is incidentally very adjacent to those of Palestinians. In nan BreachForums post, Golem posted an antisemitic connection saying nan caller information included much Ashkenazi DNA samples, thing they characterized arsenic belonging to group who were someway each able and Zionists because of their genetics.

German users are besides thought to beryllium impacted by nan latest leak, but nan cybercriminal claimed only one-third of German-origin users are included successful this batch. 

Golem went connected to impeach German chancellor Olof Scholz of "serving Zionism," adding to nan proposal that nan onslaught was religiously motivated.

They besides made nan unconfirmed declare that included "are samples from hundreds of families, including nan royal family, Rothschilds, Rockefellers, and more."

23andMe told The Reg: "We are alert that nan threat character progressive successful this investigation posted what they declare to beryllium further customer DNA Relative floor plan information. We are presently reviewing nan information to find if it is legitimate. Our investigation is ongoing and if we study that a customer's information has been accessed without their authorization, we will notify them straight pinch much information."

BreachForums station advertizing latest stolen 23andMe information for sale

Initial breach

Golem posted a nexus to what was advertised arsenic a trove of 1 cardinal records of 23andMe profiles including Ashkenazi Jewish markers to BreachForums connected October 2. 

They priced downloads depending connected nan number of records a personification wanted, advertizing nan information arsenic including earthy floor plan information, photographs, taste groupings, and different information points. The pricing standard was:

  • 100 profiles for $1,000
  • 1,000 profiles for $5,000
  • 10,000 profiles for $20,000
  • 100,000 profiles for $100,000

23andMe first confirmed it was alert of a information incident connected October 6, astatine nan clip saying it was continuing to analyse nan event.

It was speedy to corroborate its belief that nan information leak wasn't nan consequence of a information vulnerability being exploited by nan cybercriminal. Evidence alternatively pointed to a credential stuffing onslaught that capitalized connected users' recycled credentials that had been leaked successful different breaches earlier 23andMe's incident took place.

The company's first investigations concluded that nan accounts impacted successful nan leak each opted into nan DNA Relatives feature. 

DNA Relatives is simply a awesome trading constituent for nan company's work that allows users to beryllium paired up pinch different users if they stock a information of their DNA, and 23andMe offers a prediction of nan astir apt narration you are to a paired user.

An update was posted by nan institution connected 9 October saying customers thought to beryllium affected were being contacted straight pinch further information.

As a unfortunate of nan breach, this newsman didn't person an email to corroborate their information was impacted until October 14, astir 2 weeks aft nan first leak.

According to nan email, immoderate users only had nan accusation successful their DNA Relatives floor plan leaked. Some had their relationship accessed straight and immoderate had their accusation stolen only because it was shared pinch a DNA comparative who had their relationship compromised. 

This whitethorn spell immoderate measurement to explaining nan standard of nan breach, besides taking into relationship that according to 23andMe, Ashkenazi Jews and those pinch different European backgrounds typically person galore matches connected nan platform. 

Even if an relationship wasn't itself compromised done nan credential stuffing attacks, because it opted into DNA Relatives and had its DNA Relatives floor plan attributes shared pinch accounts that were accessed, it intends a wide scope of individuals' information could beryllium accessed done 1 compromised 23andMe account.

Data included successful DNA Relative profiles includes: past login date; narration labels (masculine, feminine, neutral); predicted narration (eg, 2nd cousin) and percent of DNA shared to a matched user; and nan DNA Relative show name.

Display names are configurable from nan astir transparent, which displays nan afloat first and past name, to nan slightest transparent which only shows nan first first of nan first and past name.

For example, Golem posted a nexus to what they alleged was 23andMe CEO Anne Wojcicki's DNA Relative profile, though nan account's show sanction is only "A W."

Users tin optionally stock further pieces of data, specified arsenic location, ancestor commencement locations and family names, floor plan picture, commencement year, and others.

Class-action central

Perhaps unsurprisingly, nan incident has spurred a flurry of people action lawsuits against 23andMe, including 5 successful California wherever nan institution is headquartered.

In nan lawsuit of Santana vs 23andMe, plaintiffs allege that nan institution grounded to instrumentality "adequate and reasonable cybersecurity procedures and protocols basal to protect victim's PII".

  • DNAaaahahaha: Twins' 23andMe, Ancestry, etc familial tests alteration wildly, astonishing nary one
  • DNA-bothering eggheads brew brew you were virtually calved to like
  • Bad genes? US watchdog halts 23andMe's useful location DNA trial kits
  • Google's Brin and woman plop half-million into Wikipedia's hat

They besides alleged, among galore different matters, that 23andMe disregarded nan authorities of its users by failing to adequately unafraid its information systems against unauthorized intrusions and show its web to observe nan intrusion sooner.

The claims made successful Andrizzi vs 23andMe, Lamons vs 23andMe, and J.S. vs 23andMe were besides very akin successful nature.

Eden vs 23andMe brought claims for negligence, penetration of privacy, breach of contract, and breach of implied contract, among others. ®