DNA testing firm 23andMe has confirmed that a threat actor may have gained unauthorized access to some accounts, putting the data of a currently unknown number of customers at risk.
The confirmation comes several days after an X user found 13 million pieces of customer data for sale on the dark web.
The data reportedly includes their origin estimation, phenotype and health information, photos and identification data, raw data, and some other account information.
23andMe data breach
According to the dark web post, the company had been hacked several months prior, and those in the know sold stock before the hack became public knowledge. The share price currently stands at $0.86, down from a February high of $2.87. The company did not immediately respond to TechRadar Pro’s request for a comment on the dark web post’s claim.
The company shared an official statement (via Ars Technica) with regards to the leak:
“We do not have any indication at this time that there has been a data security incident within our systems. Rather, the preliminary results of this investigation suggest that the login credentials used in these access attempts may have been gathered by a threat actor from data leaked during incidents involving other online platforms where users have recycled login credentials.
We believe that the threat actor may have then, in violation of our terms of service, accessed 23andme.com accounts without authorization and obtained information from those accounts. We are taking this issue seriously and will continue our investigation to confirm these preliminary results.”
The leak reportedly contains one million lines of data for Ashkenazi people (via Bleeping Computer), also affecting more than 300,000 users of Chinese descent (via The Record).
When TechRadar asked the company for more information, we were directed to a blog post created by 23andMe.