"23andMe Data Breach: Hackers Stole Raw Genotype Data, Health Reports"

Genetic testing provider 23andMe recently confirmed that hackers stole health reports and raw genotype data of customers affected by a credential stuffing attack that went unnoticed for five months, from April 29 to September 27.  23andMe noted that the credentials used by the attackers to breach the customers' accounts were stolen in other data breaches or used on previously compromised online platforms.  As the genomics and biotechnology company disclosed in data breach notification letters sent to those impacted in the incident, some of the stolen data was posted on the BreachForums hacking forum and the unofficial 23andMe subreddit site.  23andMe stated that its investigation determined the threat actor downloaded or accessed users' uninterrupted raw genotype data and may have accessed other sensitive information in users' accounts, such as certain health reports derived from the processing of genetic information, including health-predisposition reports, wellness reports, and carrier status reports.  23andMe noted that for customers who also used its DNA Relatives feature, it is possible that the attackers also scraped their DNA Relatives and Family Tree profile information.  The adversaries have also gained visibility to affected customers' following information if shared via the DNA Relatives feature: ancestry reports and matching DNA segments (specifically where on your chromosomes you and your relative had matching DNA), self-reported location (city/zip code), ancestor birth locations and family names, and profile picture, birth year, and anything else included in their profile's "Introduce yourself" section.

BleepingComputer reports:  "23andMe Data Breach: Hackers Stole Raw Genotype Data, Health Reports"