In a recent digital assault that stands out from the usual credential stuffing attacks leading to data breaches, hackers specifically targeted a particular sect of Jewish members. This unprecedented incident occurred on the servers of the renowned biotechnology company, 23andMe, which specializes in genetic testing and genealogy-related services. The attack took place in September of this year, resulting in the theft of data related to Ashkenazi Jewish heritage members.
On October 6th, 23andMe made the details of this cyber incident public, acknowledging that information from selected customer profiles using their DNA Relatives Feature had been compromised. The hackers gained access to sensitive data, including first and last names, email addresses, phone numbers, dates of birth, locations, and the genetic histories of Ashkenazi Jewish members, encompassing their ancestral details.
In today’s digital age, many individuals opt for online services that provide genetic and ancestral information for a premium fee. This recent data breach serves as a stark reminder that not all personal details should be shared online, especially when cybercriminals are on the prowl.
A subsequent technical analysis revealed that the attack was initiated using recycled login credentials. Cybercriminals exploited leaked information from previous data breaches to gain unauthorized access to a separate website. Given that many online companies employ a single-password system for multiple linked services, a single password leak can result in a significant online security breach.
To defend against credential stuffing attacks, it is advisable to implement two-factor authentication or multi-factor authentication when logging into online services. 23andMe has initiated a forensic investigation into the incident and is urging its users to change their passwords promptly.
Typically, such data is sold for a price, with rates starting at $1,000 for 100 profiles and increasing to $5,000 for 1,000 profiles. The price doubles for the next 10,000 profiles and so forth. A forum specializing in data breaches has claimed possession of data related to over 1 million Ashkenazi profiles. This data includes haplogroup details, phenotype information, photographs, precise origin estimates, individual data sets, and hundreds of potential relatives’ information, much of which constitutes raw data.