A cybercriminal claims they’ve uploaded a second batch of stolen profile data from biotech company 23andMe, posting it to the same cybercrime forum that hosted the first batch two weeks ago.
The individual who uses the alias “Golem” has uploaded an additional 4.1 million records of mainly UK users in what appears to be another religiously motivated endeavor.
The first leak at the start of October contained 1 million records of people whose DNA included Ashkenazi Jewish markers – an apparent targeting of the ethnic group, whose genetic data is incidentally very close to those of Palestinians. In the BreachForums post, Golem posted an antisemitic statement saying the new data included more Ashkenazi DNA samples, something they characterized as belonging to people who were somehow all wealthy and Zionists because of their genetics.
German users are also thought to be impacted by the latest leak, but the cybercriminal claimed only one-third of German-origin users are included in this batch.
Golem went on to accuse German chancellor Olof Scholz of “serving Zionism,” adding to the suggestion that the attack was religiously motivated.
They also made the unconfirmed claim that included “are samples from hundreds of families, including the royal family, Rothschilds, Rockefellers, and more.”
23andMe told The Reg: “We are aware that the threat actor involved in this investigation posted what they claim to be additional customer DNA Relative profile information. We are currently reviewing the data to determine if it is legitimate. Our investigation is ongoing and if we learn that a customer’s data has been accessed without their authorization, we will notify them directly with more information.”
Initial breach
Golem posted a link to what was advertised as a trove of 1 million records of 23andMe profiles including Ashkenazi Jewish markers to BreachForums on October 2.
They priced downloads depending on the number of records a user wanted, advertising the data as including raw profile information, photographs, ethnic groupings, and other data points. The pricing scale was:
- 100 profiles for $1,000
- 1,000 profiles for $5,000
- 10,000 profiles for $20,000
- 100,000 profiles for $100,000
23andMe first confirmed it was aware of a security incident on October 6, at the time saying it was continuing to investigate the event.
It was quick to confirm its belief that the data leak wasn’t the result of a security vulnerability being exploited by the cybercriminal. Evidence instead pointed to a credential stuffing attack that capitalized on users’ recycled credentials that had been leaked in other breaches before 23andMe’s incident took place.
The company’s initial investigations concluded that the accounts impacted in the leak all opted into the DNA Relatives feature.
DNA Relatives is a major selling point for the company’s service that allows users to be paired up with other users if they share a portion of their DNA, and 23andMe offers a prediction of the most likely relation you are to a paired user.
An update was posted by the company on 9 October saying customers thought to be affected were being contacted directly with further information.
As a victim of the breach, this reporter didn’t receive an email to confirm their data was impacted until October 14, nearly two weeks after the initial leak.
According to the email, some users only had the information in their DNA Relatives profile leaked. Some had their account accessed directly and some had their information stolen only because it was shared with a DNA relative who had their account compromised.
This may go some way to explaining the scale of the breach, also taking into account that according to 23andMe, Ashkenazi Jews and those with other European backgrounds typically have many matches on the platform.
Even if an account wasn’t itself compromised through the credential stuffing attacks, because it opted into DNA Relatives and had its DNA Relatives profile attributes shared with accounts that were accessed, it means a wide range of individuals’ data could be accessed through one compromised 23andMe account.
Data included in DNA Relative profiles includes: last login date; relationship labels (masculine, feminine, neutral); predicted relationship (eg, second cousin) and percentage of DNA shared to a matched user; and the DNA Relative display name.
Display names are configurable from the most transparent, which displays the full first and last name, to the least transparent which only shows the first initial of the first and last name.
For example, Golem posted a link to what they alleged was 23andMe CEO Anne Wojcicki’s DNA Relative profile, though the account’s display name is only “A W.”
Users can optionally share additional pieces of data, such as location, ancestor birth locations and family names, profile picture, birth year, and others.
Class-action central
Perhaps unsurprisingly, the incident has spurred a flurry of class action lawsuits against 23andMe, including five in California where the company is headquartered.
In the case of Santana vs 23andMe, plaintiffs allege that the company failed to implement “adequate and reasonable cybersecurity procedures and protocols necessary to protect victim’s PII”.
They also alleged, among many other matters, that 23andMe disregarded the rights of its users by failing to adequately secure its data systems against unauthorized intrusions and monitor its network to discover the intrusion sooner.
The claims made in Andrizzi vs 23andMe, Lamons vs 23andMe, and J.S. vs 23andMe were also very similar in nature.
Eden vs 23andMe brought claims for negligence, invasion of privacy, breach of contract, and breach of implied contract, among others. ®