On Friday, October 6 – the day before Iranian-backed Hamas terrorists carried out a barbaric massacre of Jews living in villages along Israel’s border with Gaza – the 23andMe genetic testing company confirmed that hackers had stolen data from some of its users.
It swiftly became clear that Ashkenazi Jews were targeted in the cyberattack, although the reasons were as yet unclear. The data included a display name, sex, birth year and details about genetic ancestry, but apparently not raw genetic data.
The hackers posted a data sample on the BreachForums platform on October 4, claiming to have stolen one million data points belonging solely to Ashkenazi Jews. But hundreds of thousands of people with Chinese ancestry were also caught in the net, according to Wired.
The cyber thief began selling what it claimed were 23andMe profiles for between $1 and $10, depending on the scale of the purchase, the news outlet reported.
However, the actual attack apparently took place months earlier, in the summer. According to the Electronic Frontier Foundation (EFF), “TechCrunch found the data may have been first leaked back in August when a bad actor posted on a hacking forum that they’d accessed 300 terabytes of stolen 23andMe user data.”
The company wrote in an email to its customers, “We recently learned that certain profile information – which a customer creates and chooses to share with their genetic relatives in the DNA Relatives feature – was accessed from individual 23andMe.com accounts. This was done without the account users’ authorization. We do not have any indication at this time that there has been a data security incident within our systems, or that 23andMe was the source of the account credentials used in these attacks.
“While our investigation is ongoing, at this time we believe the threat actor was able to access certain accounts in instances where users employed identical login credentials – that is, usernames and passwords that were used on 23andMe.com were the same as those used on other websites that had been previously compromised or otherwise available.”
The company added that if it became clear that a specific customer’s data was accessed “without your authorization,” 23andMe.com will contact that individual separately with “more information.”
In the meantime, users were advised to change and strengthen their passwords, and enable two-step verification for additional protection.