Posts Tagged: breached
23andMe user data breached in credential-stuffing attack
Biotech company 23andMe, known for its DNA testing kits, confirmed to BleepingComputer that its user data is circulating on hacker forums. The company said the leak occurred through a credential-stuffing attack.
A credential-stuffing attack involves user information that has already been compromised (usernames and passwords, for example) from one organization, which a hacker obtains and attempts to reuse with a second organization — in this case, 23andMe. Because of the nature of credential-stuffing, it does not appear this was a breach of the company’s internal systems. Rather, accounts were broken into piecemeal. The perpetrators of this attack appear to have obtained quite sensitive information from the compromised accounts (genetic testing results, photos, full names and geographical location, among other things).
The initial leak comprised “1 million lines of data for Ashkenazi people,” according to BleepingComputer. By October 4, data was being offered for sale in bulk, in increments of 100, 1,000, 10,000 or 100,000 profiles. The scale of the attack is as yet unknown, but the scope of its impact has likely been exacerbated by 23andMe’s ‘DNA Relatives’ feature. “Relatives are identified by comparing your DNA with the DNA of other 23andMe members who are participating in the DNA Relatives feature,” the company states. After accessing an unknown number of profiles via credential-stuffing, the threat actor behind this breach apparently scraped the ‘DNA Relatives’ results for those profiles, netting much more sensitive data. According to the same FAQ page, “The number of relatives listed [..] grows over time as more people join 23andMe.” For the fiscal year 2023, the company reported it “genotyped” around 14 million customers.
Ever since 23andMe went public in 2021, the company has faced extra scrutiny for its data protection practices — rightly so, since it deals with sensitive medical data derived from saliva sampling, including predispositions for diseases like Alzheimer’s, Type 2 diabetes and even cancer. On its website the company claims it “exceeds” data protection standards for its industry.
This article originally appeared on Engadget at https://www.engadget.com/23andme-user-data-breached-in-credential-stuffing-attack-231757254.html?src=rss
Engadget is a web magazine with obsessive daily coverage of everything new in gadgets and consumer electronics
2 million T-Mobile customers had their data breached on August 20th
T-Mobile has announced that a few days ago on August 20th, their information systems were compromised and hackers were able to swipe some data from 2 million customers, which is around 3% of the carrier’s total customer base. Data breaches like this are always bad news, but this one could be worse. The carrier reports that […]
Come comment on this article: 2 million T-Mobile customers had their data breached on August 20th
Hacked? app for Windows 10 notifies you if online accounts are breached
The Hacked? Windows 10 app takes your email address and automates the notification process if your credentials ended up in the latest data breach catalog.
The post Hacked? app for Windows 10 notifies you if online accounts are breached appeared first on Digital Trends.
Samsung Pay wasn’t breached in state-sponsored LoopPay hack, executives say
LoopPay, the company behind a core technology of Samsung Pay, suffered a network breach at the hands of Chinese hackers earlier this year. Payments information wasn’t compromised., LoopPay claims.
The post Samsung Pay wasn’t breached in state-sponsored LoopPay hack, executives say appeared first on Digital Trends.