Those hackers who claim to have access to the names, photos, birth details, and ethnicities of potentially millions of 23andMe customers are peddling the information on the dark web for thousands of dollars.
The data appears to have been gathered from user credentials that were exposed in previous data breaches, and the company's security systems have not been breached, 23andMe said.
The company was aware of the attack in a post in Reddit, which appears to have been deleted by the platform. Since then, hackers have taken to hawking the data on the cybercrime marketplace, BreachForums.
One anonymous seller on BreachForums earlier this week advertises the data as containing s top business magnates to dynasties often whispered about in conspiracy theories, indicating that each set of data also came with corresponding email addresses, based on a repost of the ad on X. Wired reported that the data contains entries for tech execs such as Mark Zuckerberg, Sergey Brin, and Elon Musk. Anne Wojcicki, the sister of former YouTube CEO Susan Wojcicki and former ex-wife of Sergey Brin, manages the company.
The vendor offered profile bundles starting at $1000 for 100 profiles going all the way up to $100,000 for 100,000 profiles, noting that for each bulk purchase of 10,000, they'd offer the flexibility of incremental payments.
Another post on BreachForums, also on X, said that the data contained 'half of the members of 23andMe'. The company has a total of 14 million users, but has yet to confirm the number of stolen user accounts and also noted that no raw genetic data was shared.
The FBI said it gained access to a much smaller number of user accounts, but managed to scrape the data of multiple other 23andMe users through a feature called DNA Relatives. The feature enables users to connect and see information about other users they shared a'recent ancestor' with - which they define as less than nine generations back on their website.
23andMe said it did not confirm whether the attack was directed toward any specific ethnic group. A BreachForums post earlier this week claimed that the data sample was '1 million Ashkenazi database', though an individual could be classified as Ashkenazi Jew even with just 1% Jewish ancestry. 23andMe notes that ancestors with European or Ashkenazi ancestry are likely to have many matches via the DNA Relatives feature compared to people with Asian or Middle Eastern ancestry. There are hundreds of thousands of users of Chinese descent impacted by the leak, Wired reported.
23andMe, launched in 2006, made waves for its saliva tests that could detect for genetic predispositions, ancestry, and inherited traits. The company, which shares anonymous user data with their consent with third parties, encourages users to enable multi-factor authentication to prevent further attacks.