Security

Cyber-crime

Cybercrim claims fresh 23andMe batch takes leaked records to 5 million

Class action lawsuits abound after mega breach


A cybercriminal claims they've uploaded a second batch of stolen profile data from biotech company 23andMe, posting it to the same cybercrime forum that hosted the first batch two weeks ago.

The individual who uses the alias "Golem" has uploaded an additional 4.1 million records of mainly UK users in what appears to be another religiously motivated endeavor.

The first leak at the start of October contained 1 million records of people whose DNA included Ashkenazi Jewish markers – an apparent targeting of the ethnic group, whose genetic data is incidentally very close to those of Palestinians. In the BreachForums post, Golem posted an antisemitic statement saying the new data included more Ashkenazi DNA samples, something they characterized as belonging to people who were somehow all wealthy and Zionists because of their genetics.

German users are also thought to be impacted by the latest leak, but the cybercriminal claimed only one-third of German-origin users are included in this batch. 

Golem went on to accuse German chancellor Olof Scholz of "serving Zionism," adding to the suggestion that the attack was religiously motivated.

They also made the unconfirmed claim that included "are samples from hundreds of families, including the royal family, Rothschilds, Rockefellers, and more."

23andMe told The Reg: "We are aware that the threat actor involved in this investigation posted what they claim to be additional customer DNA Relative profile information. We are currently reviewing the data to determine if it is legitimate. Our investigation is ongoing and if we learn that a customer's data has been accessed without their authorization, we will notify them directly with more information."

Initial breach

Golem posted a link to what was advertised as a trove of 1 million records of 23andMe profiles including Ashkenazi Jewish markers to BreachForums on October 2. 

They priced downloads depending on the number of records a user wanted, advertising the data as including raw profile information, photographs, ethnic groupings, and other data points. The pricing scale was:

23andMe first confirmed it was aware of a security incident on October 6, at the time saying it was continuing to investigate the event.

It was quick to confirm its belief that the data leak wasn't the result of a security vulnerability being exploited by the cybercriminal. Evidence instead pointed to a credential stuffing attack that capitalized on users' recycled credentials that had been leaked in other breaches before 23andMe's incident took place.

The company's initial investigations concluded that the accounts impacted in the leak all opted into the DNA Relatives feature. 

DNA Relatives is a major selling point for the company's service that allows users to be paired up with other users if they share a portion of their DNA, and 23andMe offers a prediction of the most likely relation you are to a paired user.

An update was posted by the company on 9 October saying customers thought to be affected were being contacted directly with further information.

As a victim of the breach, this reporter didn't receive an email to confirm their data was impacted until October 14, nearly two weeks after the initial leak.

According to the email, some users only had the information in their DNA Relatives profile leaked. Some had their account accessed directly and some had their information stolen only because it was shared with a DNA relative who had their account compromised. 

This may go some way to explaining the scale of the breach, also taking into account that according to 23andMe, Ashkenazi Jews and those with other European backgrounds typically have many matches on the platform. 

Even if an account wasn't itself compromised through the credential stuffing attacks, because it opted into DNA Relatives and had its DNA Relatives profile attributes shared with accounts that were accessed, it means a wide range of individuals' data could be accessed through one compromised 23andMe account.

Data included in DNA Relative profiles includes: last login date; relationship labels (masculine, feminine, neutral); predicted relationship (eg, second cousin) and percentage of DNA shared to a matched user; and the DNA Relative display name.

Display names are configurable from the most transparent, which displays the full first and last name, to the least transparent which only shows the first initial of the first and last name.

For example, Golem posted a link to what they alleged was 23andMe CEO Anne Wojcicki's DNA Relative profile, though the account's display name is only "A W."

Users can optionally share additional pieces of data, such as location, ancestor birth locations and family names, profile picture, birth year, and others.

Class-action central

Perhaps unsurprisingly, the incident has spurred a flurry of class action lawsuits against 23andMe, including five in California where the company is headquartered.

In the case of Santana vs 23andMe, plaintiffs allege that the company failed to implement "adequate and reasonable cybersecurity procedures and protocols necessary to protect victim's PII".

They also alleged, among many other matters, that 23andMe disregarded the rights of its users by failing to adequately secure its data systems against unauthorized intrusions and monitor its network to discover the intrusion sooner.

The claims made in Andrizzi vs 23andMe, Lamons vs 23andMe, and J.S. vs 23andMe were also very similar in nature.

Eden vs 23andMe brought claims for negligence, invasion of privacy, breach of contract, and breach of implied contract, among others. ®

Send us news
4 Comments

Cutting kids off from the dark web – the solution can only ever be social

Expert weighs in after Brianna Ghey murder amid worrying rates of child cybercrime

Zeus, IcedID malware kingpin faces 40 years in slammer

Nearly a decade on the FBI’s Cyber Most Wanted List after getting banks to empty vics' accounts

Exploiting the latest max-severity ConnectWise bug is 'embarrassingly easy'

Urgent patching advised to protect attacks against setup wizards

Ukrainian police arrest father and son in suspected LockBit affiliate double act

If they did it, it gives new meaning to quality family time. Meanwhile, key LockBit leaders remain at large

Authorities dismantled LockBit before it could unleash revamped variant

New features aimed to stamp out problems of the past

LockBit leaks expose nearly 200 affiliates and bespoke data-stealing malware

Operation Cronos's 'partners' continue to trickle the criminal empire's secrets

Orgs are having a major identity crisis while crims reap the rewards

Hacking your way in is so 2022 – logging in is much easier

Cops turn LockBit ransomware gang's countdown timers against them

Authorities dismantle cybercrime royalty by making mockery of their leak site

Insider steals 79,000 email addresses at work to promote own business

After saying they're very sorry, they escape with a slap on the wrist

LockBit ransomware gang disrupted by global operation

Website has been seized and replaced with law enforcement logos from eleven nations

ALPHV gang claims it's the attacker that broke into Prudential Financial, LoanDepot

Ransomware group continues to exploit US regulatory requirements to its advantage

Feds dismantle Russian GRU botnet built on 1,000-plus home, small biz routers

Beijing, now Moscow.… Who else is hiding in broadband gateways?