Hacker leaks millions more 23andMe user records on cybercrime forum

[23abc]

so what is next , deactivated active account in 23andME after sunday ?

I will definitely not delete my account. He already has our data, and based on screenshots I've read from another forum, our data was supposedly already sold over 2 months ago to someone in China and someone in Iran. So if Golem is the same person who was selling our data in August, he has already sold it before.

And if Golem is not the same seller as in August, then 23andMe has let multiple attackers gather the same data. Especially troubling if Golem did his attack after the August leak, because it would mean that even when they knew of a massive breach, they ignored it and did not even try to fix the website.

[Capsian20]

so what is next , deactivated active account in 23andME after sunday ?

I will definitely not delete my account. He already has our data, and based on screenshots I've read from another forum, our data was supposedly already sold over 2 months ago to someone in China and someone in Iran. So if Golem is the same person who was selling our data in August, he has already sold it before.
And if Golem is not the same seller as in August, then 23andMe has let multiple attackers gather the same data. Especially troubling if Golem did his attack after the August leak, because it would mean that even when they knew of a massive breach, they ignored it and did not even try to fix the website.

No i don't delete my account too

[Polska]

Interesting to note that Elon Musk might belong to haplogroup (Y DNA) O-F1150.

I’m guessing that’s why the comment was made regarding a migration of his descendants from SE Asia to Madagascar.

If true, his male line descends from the Austronesian People.

https://en.wikipedia.org/wiki/Austronesian_peoples

[Riverman]

so what is next , deactivated active account in 23andME after sunday ?

I will definitely not delete my account. He already has our data, and based on screenshots I've read from another forum, our data was supposedly already sold over 2 months ago to someone in China and someone in Iran. So if Golem is the same person who was selling our data in August, he has already sold it before.

And if Golem is not the same seller as in August, then 23andMe has let multiple attackers gather the same data. Especially troubling if Golem did his attack after the August leak, because it would mean that even when they knew of a massive breach, they ignored it and did not even try to fix the website.

Agreed. First the data is gone, second the usefulness of the stolen data is debatable and third I think the individual might be an impostor. If you want to blackmail somebody, you always exaggerate your ability and the potential damage.

On the other hand, if 23andMe didn't even react after the security issues were brought to them, its a big disappointment.

[Valkyrie]

I only skimmed through what Golem said.  Today is Sunday, the deadline to delete my 23andMe account.  Should I delete it or leave it alone?  I tested with them twice.  First time was in 2009 and I deleted it.  Retested last year or this year.  I don't remember when exactly.

[Valkyrie]

Okay, I deleted my 23andMe account. Here is part of what they said in an email to me a few minutes ago:

Once you confirm your request to delete your 23andMe account and Personal Information, 23andMe will begin processing your request and you will no longer have access to your account. Any pending requests for Personal Information made within your Account Settings will not be completed. This decision cannot be cancelled, undone, withdrawn, or reversed.

Click the button below to confirm your deletion request, which will terminate your relationship with 23andMe and irreversibly delete your account and Personal Information. Please note that you may need to sign in to your account if you are not currently signed in.

[AimSmall]

Why did you choose do delete your account?

[Valkyrie]

Because today is the last day to delete it.

[Capsian20]

Why did you choose do delete your account?

What do you choose ? 
I choose don't delete my account

[AimSmall]

I'm not deleting my account. To what end? Somebody might see a few alleles? See I'm prone to hairy toes?

We publish our details and results all over the place. 1/4 of one percent of my DNA.... just not too excited over it.

As for who I'm related to... I publish and share that stuff far and wide.

[Rober_tce]

I’m not going to delete my 23andMe account. In case this hacker caught my own information, what fix we with it? Anyway, I don’t think this hacker have could recopilate so much quantity of information of millions of users.

[Riverman]

I'm not deleting my account.  To what end?  Somebody might see a few alleles?  See I'm prone to hairy toes?

We publish our details and results all over the place.  1/4 of one percent of my DNA.... just not too excited over it.

As for who I'm related to... I publish and share that stuff far and wide.

Exactly, its not really a high quality, whole genome test. 23andMe data can only predict a limited number of traits and diseases. And before anything else, its not even clear and proven that he got that raw data from anybody else but some compromised accounts.
Its a bad situation, but no reason to panic and throw everything out of the window. Like if people ask why even prominent people did use the test: Most of these people have public genealogies of their families anyway, its not like Rothschilds are hiding they are Jewish

If people did share their profiles with matches, it was half public before that leak already. Therefore the situation is very unpleasant, especiallly that private login data and information was stolen from the compromised accounts, and of course this huge PR disaster for DNA testing in general, but its not as bad as it could be.

A true worst case scenario would have been that the hacker got into the 23andMe system and got the logins, passwords from the system, could download and acquire all information from 23andMe, including all raw data and especially payment information.

Unfortunately such things, as horrible as they are, might happen and will happen in the future on various platforms. I would wish my DNA raw data and analyses would be safer, but they are not my primary privacy concern by comparison, at the moment.

[Magnom]

The current topic is misleading because there is no evidence of millions of 23andMe users' data being leaked to the public.

It is still unclear how many compromised accounts have been accessed and how many DNA relatives' profiles have been "scraped." This lack of clarity is due to 23andMe's non-transparency regarding their findings, which should have been reconstructed or at least estimated by either the company or third-party forensics by now.

The (so far unknown?) hacker Golem appears to have knowledge of the 23andMe API and an understanding of DNA matching and data mechanisms.

When you as autosomal match portal user choose to share with DNA relatives, a primary purpose of atDNA genetic genealogy, you are essentially "publishing" a part of your genome, at least to the extent of your matches.

It is unfortunate that some of the saved genealogical and ancestry information, intended only for those who share both DNA and a genetic genealogy interest, could now be misused by anyone who pays for or accesses and analyzes the data. This serves as a reminder to share only absolutely necessary information and to use pseudonyms for relatives who may not fully understand what is happening. The misuse of data from relatives and friends, managed by a single genetic genealogist, could lead these individuals to become unfriendly towards genetic genealogy.

The email sent out by 23andMe today certainly adds credibility to Golem's claims:

We are following up on an email that we sent earlier this month regarding our ongoing security investigation. We learned that certain profile information – which a customer creates and chooses to share with their genetic relatives in the DNA Relatives feature – was accessed from individual 23andMe.com accounts without the account users’ authorization. While our investigation is ongoing, we believe the threat actor was able to access certain accounts in instances where the usernames and passwords that were used on 23andMe.com were the same as those used on other websites that had been previously compromised or otherwise available.

How does this impact you?
After further review, we have identified your DNA Relatives profile as one that was impacted in this incident. Specifically, there was unauthorized access to one or more 23andMe accounts that were connected to you through DNA Relatives. As a result, the DNA Relatives profile information you provided in this feature was exposed to the threat actor. You can see a full list of the types of information that you may have included in your profile here. You can view what information is currently included in your DNA Relatives profile and make changes here.

Based on our investigation so far, we believe only your DNA Relatives profile attributes were exposed.

What is 23andMe doing about this?
We are working with third-party forensic experts on this investigation, as well as federal law enforcement. We have also required all customers to reset their passwords.

Security and privacy are the highest priorities at 23andMe. We exceed industry data protection standards and have achieved three different ISO certifications to demonstrate the strength of our security program. We actively and routinely monitor and audit our systems to ensure that your data is protected. When we receive information through those processes or from other sources claiming customer data has been accessed by unauthorized individuals, we immediately investigate to validate whether this information is accurate. Beginning in 2019, we’ve offered and encouraged users to use multi-factor authentication (MFA), which provides an extra layer of security and can prevent bad actors from accessing an account through recycled passwords.

What should I do?
We encourage you to take additional action to keep your account and password secure. This includes the following steps:

    Make sure your 23andMe password is not used for other accounts, meaning it’s unique to your 23andMe account.
    Enable multi-factor authentification (MFA) on your 23andMe account: Adding 2-Step Verification To Your 23andMe Account.

23andMe is here to support you. Please contact Customer Care at [email protected] if you need assistance. You can refer to our blog post for future updates on this investigation.

[Magnom]

I would like to add that I find it astonishing that 23andMe appears to have had no internal security alerts regarding the significant "scraping access" and the activity likely stemming from numerous compromised logins and accounts.

Another thought to consider: In my opinion, users with no close "compromised" matches (roughly those over 100 centimorgans or so) should be relatively safe from any significant raw data reconstruction. 

More external information: 

At least four class action complaints have been submitted in California (Santana, Eden, Andrizzi, Lamons) seeking relief for the damage done by 23andMe's failure to protect their data.
The lawsuits highlight a lack of information in the company's official announcement regarding the security event, the current status of customer data safety, the network breach's duration, and the cyberattack's exact mechanism.
Also, they criticize 23andMe for failing to implement adequate security measures that would help monitor its network for abnormal activity and potentially take action to stop the intrusion much sooner.
https://www.bleepingcomputer.com/news/se...-data/amp/

"credential stuffing" attack
https://www.cloudflare.com/learning/bots...-stuffing/

23andMe: Columbus Woman Scared After DNA Leaked By Hackers
https://abc6onyourside.com/news/local/23...reach-leak

[Magnom]

From October 18, 2023 https://www.bleepingcomputer.com/news/se...-profiles/

Another 4.1 million data packs leaked
Yesterday, a threat actor named 'Golem,' who is allegedly behind the 23andMe attacks, leaked an additional 4.1 million data profiles of people in Great Britain and Germany on the BreachForums hacking forum.
This additional leak includes 4,011,607 lines of 23andMe data for people living in Great Britain.
The threat actors claim that the stolen data includes genetic information on the royal family, the Rothschilds, and the Rockefellers. BleepingComputer has not been able to confirm if these statements are accurate.
"You can see the wealthiest people living in the US and Western Europe on this list," the hackers say in the below forum post.
Today, the same hacker released an additional CSV file containing the 23andMe data of 139,172 people living in Germany.
As reported by TechCrunch, some of the newly leaked data from Great Britain has been verified as matching known and public user and genetic information.
TechCrunch also reports that some of the leaked 23andMe data was being sold in August 2023 on the now-shutdown Hydra hacking forum, where the threat actor claimed to have stolen 300 terabytes of data.
The threat actor on BreachForums also claims to have "hundreds of TBs of data" in their possession, likely indicating that this is the same stolen data.
In a new statement to BleepingComputer, 23andMe says they are aware of the new leak of data and are investigating.
"Today we were made aware that the threat actor involved in this investigation posted what they claim to be additional customer DNA Relative profile information," 23andMe told BleepingComputer.
"We are currently reviewing the data to determine if it is legitimate. Our investigation is ongoing and if we learn that a customer’s data has been accessed without their authorization, we will notify them directly with more information."
With the amount of allegedly stolen information, we will likely continue to see further data leaks as the threat actor attempts to drum up enough interest to get a buyer.
While 23andMe says that only a small number of customer accounts were breached, the DNA Relatives feature turned this into a significantly larger data leak.
These leaks have already led to a myriad of lawsuits against 23andMe that claim there is a lack of information about the breach and that the company did not adequately protect customers' data.
Update 10/19/23: Added 23andMe statement.

So the topic seems to be not misleading anymore even if the data is not (yet) public.