Stolen genetic data belonging to British customers of a leading DNA test provider has been published on a cybercriminal website.
A hacker has been trying to sell information belonging to users of biotech company 23andMe for weeks. The stolen info includes full names, photos, date of birth, genetic ancestry results, and geographic location.
US-based 23andMe revealed it had suffered a major cybersecurity incident on October 6, after fraudsters broke into the accounts of millions of customers.
The same hacker, who leaked the original trove of stolen records, has now exposed the info of four million customers, among them Brits.
Tech news site TechCrunch reported that the data in question matches known and public 23andMe user and genetic information.
It also found that a hacker on a separate cybercrime forum had been advertising stolen 23andMe customer data since August 11, several weeks before the company reported the cybersecurity incident.
23andMe told the publication that it was aware of the latest leak, and is “reviewing the data to determine if it is legitimate.”
The company previously advised all users to take extra security steps to protect their accounts. Customers with weak or reused passwords were urged to change them, and it also recommended that people set up two-factor authentication.
23andMe offers a deep dive into users’ family histories and genetic health based on saliva samples.
The firm originally said it had “no evidence” that the breach occurred within its internal systems.
Instead, it said a hacker may have obtained user passwords stolen from other sites and reused them to infiltrate 23andMe accounts. This technique is known as credential stuffing and takes advantage of people who use the same details (such as usernames and passwords) across different sites.
Due to the recycled nature of the passwords, these types of cyberattacks can put other accounts and organisations at risk, according to the Government’s National Cyber Security Centre.
23andMe is investigating the breach and is also working with third-party forensic experts and US law enforcement.