23andMe is a personal genome and biotechnology company that provides genetic reports to interested clients. 23andMe employs over 800 employees and operates in California. The company reported $299 million in revenues this year, but the figure will likely drop in the upcoming quarter; opportunists have accessed 23andMe’s systems, resulting in thousands of user records leaking online. Many stolen records involve Ashkenazi and Chinese ancestors, potentially setting up individuals for future hate crimes.

How Did the Attack Occur?

Much information about the attack is confirmed, yet some details remain unclear. 23andMe’s statement on the assault claims that user negligence may have made the event possible. Rather than stealing the data from internal databases, opportunists accessed user accounts without brute force. They instead utilized passwords and information that other hackers had exposed in previous data breaches. The public’s lackadaisical approach to account creation and security—i.e., using the same password and username across software—is fundamental to this breach’s success. 23andMe’s investigation suggests no data security incidents have occurred, meaning the assailants already had accessible credentials available.

What Information was Viewed or Stolen? 

The information leak may have impacted those with a 23andMe account who have enabled the “DNA Relatives” option and have reused login credentials. The records posted online list various information but tend to include name, sex, genetic ancestry results, and geographic ancestry information. The for-sale records do not seem to include raw user data. The stolen details seem to focus on Ashkenazi Jews, with some records prioritizing celebrity genetics and Chinese descendants. As of this writing, no genetic testing has gained exposure; instead, the opportunists have stitched together data by utilizing the DNA Relatives service to spy on consumer profiles.

How Did 23andMe Admit to the Breach? 

Nine in the morning on October 1st, a Breach Forums user named “Golem” published the first instance of 23andMe’s data leak. The post claims at least 20 million pieces of data available in the leak, possibly totaling 2 million Ashkenazi records; raw data is also available to be sold for an additional $5 per account. (Raw data accusations are not substantiated by 23andMe.) On October 2nd, another forum user, Addka72424, re-posts the information on the forum; this is necessary, as Golem’s original post had a limited download stipulation. October 4th, Golem clarifies package pricing in a new post. Details sell for $1-$10 per account, stipulated by package deals. Two days later, on October 6th, 23andMe published a statement confirming that consumer data may be available online; they do not confirm that the leaked data is actual consumer data.

What Will Become of the Stolen Information? 

The reason for 23andMe’s leak is unknown, yet actors may leverage the data that appears from it in many ways. Interested parties may buy a profile (or more), but only they can determine what happens with the data. Bad actors may use details to specifically target Ashkenazi Jews for hate crimes, while others may use it for impersonation. Actors can use the data for increased phishing attempts, frequent DDoS attacks, and fraudulent behaviors. If your data may have appeared in the leaked information, the only way to protect yourself is by taking immediate action.

What Should Affected Parties Do in the Aftermath of the Breach? 

Users who suspect they have had information exposed in this leak should immediately protect themselves. Account holders should disable DNA Relative sharing by changing the associated email and passwords. If not already signed up, enable multi-factor authentication on the 23andMe and email accounts. Consider consulting a financial and identity monitor to avoid attempted fraud; users should never give personal information or confirm data to strangers online. Take proactive steps today to mitigate threats in the future.