A major breach of personal data has occurred at 23andMe, a popular genetic testing company that offers insights into ancestry and health. According to a report by Decrypt1, hackers used a technique called credential stuffing to access the accounts of more than 10,000 customers, and stole their genetic information, personal details, and payment information.
Credential stuffing is a type of cyberattack that involves using stolen or leaked usernames and passwords from one website to try to log into another website. The hackers exploited the fact that many people reuse the same passwords across different platforms, and used automated tools to try millions of combinations in a short time.
The breach was discovered by researchers from CyberNews, who found a database containing the stolen data on a dark web forum. The database included the customers’ names, email addresses, phone numbers, addresses, dates of birth, genders, ethnicities, health conditions, and DNA data. The hackers also claimed to have access to the customers’ credit card information, but did not include it in the database.
The researchers alerted 23andMe about the breach, and the company confirmed that it was aware of the incident and had taken steps to secure the accounts. The company also said that it had notified the affected customers and advised them to change their passwords and enable two-factor authentication.
The breach raises serious concerns about the privacy and security of genetic data, which can reveal sensitive information about a person’s health, traits, and family history. The hackers could potentially use the data for identity theft, blackmail, or targeted phishing campaigns. They could also sell the data to third parties who might use it for unethical purposes, such as discrimination, profiling, or biometric spoofing.
The incident also highlights the need for stronger password hygiene and awareness among users of online services. The researchers from CyberNews recommended that users should use unique and complex passwords for each website they visit, and use a password manager to store them securely. They also suggested that users should regularly check their accounts for any suspicious activity, and use services like Have I Been Pwned2 to see if their email addresses have been compromised in any data breaches.