"DNA Tester 23andMe Hit By Credential Stuffing Campaign"

A leading genetics testing firm recently confirmed that threat actors accessed customers’ profile information following a credential stuffing campaign.  San Francisco-headquartered 23andMe offers DNA testing, ancestry information, and personalized health insights for millions of customers.  A threat actor known as “Golem” posted an ad to BreachForums last week, offering “raw data profiles,” “tailored ethnic groupings,” “individualized data sets,” and much more to online buyers.  Prices start at $1,000 for 100 profiles and max out at $100,000 for 100,000 profiles.  A statement from 23andMe confirmed that the data breach was not due to hackers infiltrating the firm’s own network but rather poor password management on the part of its customers, who appear not to have used the site’s multi-factor authentication (MFA) option.  The company noted that, at this time, it does not have any indication of a data security incident within its systems.  It is believed that hackers gained access to a small number of initial accounts via previously compromised credentials but were then able to scrape data from additional users who had registered with the DNA Relatives feature.  Among the data compromised are full names, usernames, profile photos, gender, date of birth, location, and ancestry results.

Infosecurity reports: "DNA Tester 23andMe Hit By Credential Stuffing Campaign"