The same hacker who leaked a trove of user data stolen from the genetic testing company 23andMe two weeks ago has now leaked millions of new user records.
On Tuesday, a hacker who goes by Golem published a new dataset of 23andMe user information containing records of four million users on the known cybercrime forum BreachForums. TechCrunch has found that some of the newly leaked stolen data matches known and public 23andMe user and genetic information.
Golem claimed the dataset contains information on people who come from Great Britain, including data from “the wealthiest people living in the U.S. and Western Europe on this list.”
23andMe spokesperson Andy Kill said in an emailed statement that the company was made aware of this new leak today, and that it is “reviewing the data to determine if it is legitimate.”
On October 6, 23andMe announced that hackers had obtained some user data, claiming that to amass the stolen data the hackers used credential stuffing — a common technique where hackers try combinations of usernames or emails and corresponding passwords that are already public from other data breaches.
Contact Us
Do you have more information about the 23andMe incident? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram, Keybase and Wire @lorenzofb, or email lorenzo@techcrunch.com. You also can contact TechCrunch via SecureDrop.
In response to the incident, 23andMe prompted users to change their passwords and encouraged switching on multi-factor authentication. On its official page addressing the incident, 23andMe said it has launched an investigation with help from “third-party forensic experts.” 23andMe blamed the incident on its customers for reusing passwords, and an opt-in feature called DNA Relatives, which allows users to see the data of other opted-in users whose genetic data matches theirs. If a user had this feature turned on, in theory it would allow hackers to scrape data on more than one user by breaking into a single user’s account.
There are still a lot of unanswered questions about this incident. It’s not known if the hackers actually used credential stuffing and not another technique to steal the data, how much user data was stolen, and what the hackers intend to do with it.
The incident appears to have been conducted, or at least launched, several months ago. On August 11, a hacker on another cybercrime forum called Hydra advertised a set of 23andMe user data. That set of user data matched some of the user records leaked two weeks ago, according to a TechCrunch analysis.
On Hydra, the hacker claimed to have 300 terabytes of 23andMe user data, though the hacker did not provide any evidence for this claim.
Regardless of the many unanswered questions, what’s clear is that we still don’t know the full extent of this data leak. And it’s not clear that 23andMe knows yet how much data was taken.
UPDATE, October 18, 5:32 p.m. ET: This story was updated to include the statement from 23andMe’s spokesperson.