A hacker is offering to sell records identifying names, locations and ethnicities of potentially millions of customers of genetic testing company 23andMe, beginning by touting a batch that would contain data of those with Jewish ancestry.
A 23andMe spokeswoman confirmed that the leak contained samples of genuine data and said the company is investigating. She said it appeared likely that the hacker or accomplices used a common technique called credential stuffing: Taking username-and-password combinations published or sold after breaches at other companies, and trying those combinations to see which were reused by 23andMe customers. When the hacker found logins that worked, they copied all the information made available to legitimate users by their relatives, sometimes hundreds of them per account.
The company said it had reported the matter to law enforcement and that this was the first incident of its kind at the firm.
The data does not include genomic details, which are especially sensitive, but does include usernames, regional locations, profile photos, and birth years. The usernames are often something other than full legal names.
23andMe said it was encouraging users to change their passwords and use two-factor authentication to prevent others from logging in under their name. Online posts offering the data for sale in underground forums said buyers could acquire 100 profiles for $1,000 or as many as 100,000 for $100,000. One post said the person had uploaded a large database of Ashkenazi Jews. The company spokeswoman said that would include people with even 1% Jewish ancestry.
Some of the posts used the handle “Golem,” a reference to a humanoid beast in Jewish folk tales.
The data taken from 23andMe could cover more than half of the company’s 14 million customers, based on the number of people who have opted to make their data visible to relatives, including distant cousins.
While the reference to Jews might have been designed to draw attention and increase the odds of transactions, it comes during a time of increased rhetorical and physical attacks on Jews in the United States. Antisemitism has gotten more traction in the past year on social networks for conspiracy theories that blame Jews for illegal immigration, media manipulation or financial misdeeds.
You don’t need multiple failed logins if you have the email and password though
They could force 2FA if the login is coming from a new IP.
If Steam can do it, so can 23andme.