23andMe user data stolen and listed for sale in attack targeting Ashkenazi Jews

World News

Genomics company 23andMe confirmed Friday that user data was stolen by attackers who guessed login information of a subset of users through a recycled password attack, then accessed more information through a feature that allows users to share information with others, according to multiple outlets.
In this photo illustration, 23andMe logo of a biotechnology...

23andMe was founded in 2006. (Photo Illustration by Pavlo Gonchar/SOPA Images/LightRocket via Getty Images)

SOPA Images/LightRocket via Getty Images

Key Takeaways
  • A data sample from the attack was posted on hacker forums including one website where hackers claimed the sample contained 1 million data points belonging to Ashkenazi Jews.
  • An attacker offered the data profiles for purchase on Wednesday with profiles being sold for between $1 and $10 per account, according to Wired, which reported entries for tech billionaires Mark Zuckerberg and Elon Musk were included in the sample—though it is unclear if the entries are legitimate.
  • However, an investigation into the legitimacy of the data is ongoing, though the leaked data is consistent with an internal company situation in which some accounts were exposed and used to access more data through 23andMe’s DNA Relatives feature, according to Wired.
  • Customer profile information was gathered through access to individual accounts, though the company itself was not breached.
  • The data doesn’t appear to include the raw genetic data the company analyzes and instead includes information like sex, birth year, genetic ancestry results and geographic ancestry information.
Crucial Quote

“We do not have any indication at this time that there has been a data security incident within our systems,” a 23andMe spokesperson told Forbes. “Rather, the preliminary results of this investigation suggest that the login credentials used in these access attempts may have been gathered by a threat actor from data leaked during incidents involving other online platforms where users have recycled login credentials.”


23andMe’s stock closed down more than 1% percent at $0.86 Friday, continuing a downward trend that first started in October 2021, when the company’s stock was trading at more than $11 per share.

Key Background

23andMe and other companies that provide individuals with DNA tests have faced scrutiny from privacy advocates and regulators over the storage and potential use of sensitive data. A Stanford University privacy specialist told the Guardian in 2021 that the question when it comes to providing companies with genetic information is “where the data is going and why these different companies and investors have a financial interest in your genetic data.”

23andMe, which went public two years ago through a Richard Branson SPAC, provides consumers with ancestral information and health advice ranging from dietary suggestions and what diseases/conditions users and their children may be prone to based on their genetic makeup. The genome company has repeatedly said its user data is only shared outside the company through opt-in agreements and is explicitly shared as anonymized sets of data.

Forbes Australia Issue 7 is out now. Tap here to secure your copy.

This article was first published on forbes.com and all figures are in USD.

More from Forbes Australia