Genetic testing company 23andMe has confirmed that it has suffered a data breach following a post on an online marketplace offering up its user data for sale. Any time a company suffers a breach and user info is compromised, it’s a problem. This time is a little unique since 23andMe also stores genetic data.
Some of that has apparently also made it out onto the web where it’s just waiting for the highest bidder but there was apparently little the company could have done about that. The testing service said in a statement that it wasn’t subject to a “data security incident”. Instead, the blame is being laid on a practice called ‘scraping‘.
Slivers of 23andMe
Originally, whoever is trying to sell the user info claimed to have the usual stuff: names, email addresses, and other identification data. Added to this is genetic data — the origin roundup the service is famous for, phenotype, and haplogroup information, plus other details like photographs. The service originally denied that this information was available but later confirmed that some private data had made it out from under its watchful eyes.
The problem, according to 23andMe, is data scraping. Individual user accounts were compromised which led to others giving up useful information. DNA Relative is an opt-in feature that lets those with similar genetic results see each other. It’s also a handy way to scoop more data than you might from a single compromised profile.
Company officials released a statement, saying, “We do not have any indication at this time that there has been a data security incident within our systems. Rather, the preliminary results of this investigation suggest that the login credentials used in these access attempts may have been gathered by a threat actor from data leaked during incidents involving other online platforms where users have recycled login credentials.”
“We believe that the threat actor may have then, in violation of our terms of service, accessed 23andme.com accounts without authorization and obtained information from those accounts. We are taking this issue seriously and will continue our investigation to confirm these preliminary results.”
Still, a new fear has been unlocked. It’s probably only a matter of time before the WorldCoin iris-scanning project is similarly compromised, dumping a vast database of human biometric data online where anyone with a credit card can access it.
