DNA testing company 23andMe has confirmed that a threat actor may have gained unauthorized access to some accounts, compromising the data of a currently unknown number of customers.
The confirmation comes a few days later X user found 13 million customer records for sale on the dark web.
The data reportedly includes their estimate of origin, phenotype and health information, photos and identifying information, raw data, and some other account information.
23andMe data breach
According to the post on the dark web, the company had been hacked several months earlier and those in the know sold shares before the hack became public knowledge. The stock price currently stands at $0.86, down from a February high of $2.87. The company did not immediately respond to TechRadar Pro’s request for comment on the dark web message claim.
The company shared an official statement (via Ars Technica) regarding the leak:
“We currently have no indications that a data security incident has occurred within our systems. Rather, the preliminary results of this study suggest that the credentials used in these access attempts may have been collected by a threat actor from data leaked during incidents involving other online platforms where users recycled credentials.
We believe that the threat actors then accessed 23andme.com accounts without permission and obtained information from those accounts in violation of our Terms of Service. We take this matter seriously and will continue our investigation to confirm these preliminary results.”
The leak reportedly contains a million lines of data for Ashkenazi people (via Beeping computer), which also affects more than 300,000 users of Chinese descent (via The record).
When TechRadar asked the company for more information, we were referred to a blog post created by 23andMe.