A hacker has leaked an additional 4.1 million stolen 23andMe genetic data profiles for people in Great Britain and Germany on a hacking forum.
Earlier this month, a threat actor leaked the stolen data of 1 million Ashkenazi Jews who used 23andMe services to find their ancestry info and genetic predispositions. 23andMe told BleepingComputer* that this data was obtained through credential stuffing attacks on accounts using weak passwords or credentials exposed in other data breaches. However, the company says there is no evidence of a security incident on their IT systems. The company says that only a limited number of accounts were breached, but they opted into the ‘DNA Relatives’ feature, allowing the threat actor to scrape millions of individual’s data.
Users’ account IDs, full names, sex, date of birth, DNA profiles, location, and region details. The amount of sensitive data stolen is exactly the type of information cybercriminals are after, and users can expect this data will be sold on the dark web. Unfortunately, DNA cannot be replaced the way social media accounts or passwords can. And there is little customers can do about the very sensitive data, which is now stolen.
Once again this shows, that the old-fashioned basic passwords once did a good job of fending off the most basic of attacks. However, this security of yesteryear clearly doesn’t stand up to the types of attacks we see today. Multi-factor authentication or even better – token or key-based authentication – are the measures to look for. A robust endpoint and detection response solution is required, and password saving should be disabled in web browsers.
However, this incident shows, that weakly secured accounts put at risk even those, who thought of protecting their sensitive data and used 2FA and strong passwords. Therefore it’s also up to the companies handling sensitive medical data to implement adequate security measures, that would help prevent attackers from accessing large bodies of data, and monitor their network for abnormalities to stop the intrusion at an earlier stage.
*ESET does not bear any responsibility for the accuracy of this information.
ESET Ireland 