A hacker is offering to sell records identifying names, locations and ethnicities of potentially millions of customers of genetic testing company 23andMe, beginning by touting a batch that would contain data of those with Jewish ancestry.
A 23andMe spokeswoman confirmed that the leak contained samples of genuine data and said the company is investigating. She said it appeared likely that the hacker or accomplices used a common technique called credential stuffing: Taking username-and-password combinations published or sold after breaches at other companies, and trying those combinations to see which were reused by 23andMe customers. When the hacker found logins that worked, they copied all the information made available to legitimate users by their relatives, sometimes hundreds of them per account.
The company said it had reported the matter to law enforcement and that this was the first incident of its kind at the firm.
The data does not include genomic details, which are especially sensitive, but does include usernames, regional locations, profile photos, and birth years. The usernames are often something other than full legal names.
23andMe said it was encouraging users to change their passwords and use two-factor authentication to prevent others from logging in under their name. Online posts offering the data for sale in underground forums said buyers could acquire 100 profiles for $1,000 or as many as 100,000 for $100,000. One post said the person had uploaded a large database of Ashkenazi Jews. The company spokeswoman said that would include people with even 1% Jewish ancestry.
Some of the posts used the handle “Golem,” a reference to a humanoid beast in Jewish folk tales.
The data taken from 23andMe could cover more than half of the company’s 14 million customers, based on the number of people who have opted to make their data visible to relatives, including distant cousins.
While the reference to Jews might have been designed to draw attention and increase the odds of transactions, it comes during a time of increased rhetorical and physical attacks on Jews in the United States. Antisemitism has gotten more traction in the past year on social networks for conspiracy theories that blame Jews for illegal immigration, media manipulation or financial misdeeds.
deleted by creator
As someone of almost entirely Ashkenazi heritage, all I can say is I’m glad I never used 23andMe, but I’m scared for a lot of my fellows.
As someone who is 50% Ashkenazi and on 23andMe, I’m not super happy
My partner is Jewish and used the service to learn more about her ancestry. This sucks.
Is it just me or does it seem it’s a really bad idea to buy into any product that involves accumulating PII? I’m old enough to have noticed that in nearly every instance that data is either misused, stolen, or used as intended for a really shitty purpose.
How can you tell a person’s religion from their DNA?
“Jewish” is an ethnicity as well as a religion so one can be ‘of Jewish descent’ without practicing Judaism.
I think that’s the short answer.
Please correct me if I got any terminology muddled up.
I could explain it, but this would do a much better job:
Not really 23andMe’s fault if people don’t secure their accounts properly
Bullshit. They have no limit on how many failed login attempts you can do.
You don’t need multiple failed logins if you have the email and password though
They could force 2FA if the login is coming from a new IP.
If Steam can do it, so can 23andme.
I’m mixed on that score.
If your primary business is handling extremely sensitive information… you should probably force people into 2FA as standard procedure.
23 and me are far from the only company not doing that, though… mostly because they thing people will run away screaming to the lie competitors if they do.
Which, to be fair, is possibly true. People are dumb like that,
It’s not that hard to set up OTP 2FA. It’s actually fairly easy- I managed it on my private cloud server and home security/automation server.
This company should be sued/fined out of existence as an example to others.
They have 2fa but it’s optional