23andMe user data compromised in a “credential stuffing attack”

23andMe is a popular genetics testing company that uses biodata to map users’ family history and origins, among other things. BleepingComputer reports that the company has suffered a “credential stuffing attack” which has comprised its users.

23andMe has confirmed to BleepingComputer that it is aware that user data from its platform has been circulating on hacker forums. The company has gotten popular for providing ancestry reports for users curious about where they came from. It also provides reports that may help users find out if they are genetically predispositioned for certain diseases.

According to BleepingComputer, a threat actor leaked samples of data that was allegedly stolen from a genetics firm and, a few days later, offered to sell data packs belonging to 23andMe customers. The initial data leak was limited, with the threat actor releasing 1 million lines of data for Ashkenazi people. However, on October 4, the threat actor offered to sell data profiles in bulk for $1-$10 per 23andMe account, depending on how many were purchased.


“A 23andMe spokesperson confirmed the data is legitimate and told BleepingComputer that the threat actors used exposed credentials from other breaches to access 23andMe accounts and steal the sensitive data.”

“We were made aware that certain 23andMe customer profile information was compiled through access to individual 23andMe.com accounts,” stated 23andMe’s spokesperson

“We do not have any indication at this time that there has been a data security incident within our systems.”

BleepingComputer has also learned that the number of accounts sold by the cybercriminal does not reflect the number of 23andMe accounts breached using exposed credentials.

Sharing data with companies is always a risk, and companies like this also have contracts that allow them to use your biodata in any way they choose to. So the risk of a hack is real, but so is the risk of your data being shared to third parties you may not want to share data with. We always advise against using services like this, it seems fun but can lead to a world of hurt.

Be sure to read BleepingComputer‘s full report on its website.