User information from 23andMe’s platform is circulating on hacker forums, and 23andMe has acknowledged this to BleepingComputer and blamed a credential-stuffing assault for the leak.

An ancestry and genetic predispositions report is received by clients who send a saliva sample to the labs of the American biotechnology and genomics company 23andMe.

A threat actor recently offered to sell data packs belonging to 23andMe consumers after reportedly leaking samples of data that were purportedly stolen from a genetics company.


The threat actor only released 1 million lines of data about Ashkenazi people in the original data leak, which was small. On October 4, however, the threat actor made a bulk data profile sale offer, with prices ranging from $1 to $10 per 23andMe account, depending on the quantity acquired.


A 23andMe representative confirmed the accuracy of the information and told BleepingComputer that the threat actors gained access to 23andMe accounts using exposed credentials from earlier hacks and stole sensitive data.

“We were made aware that certain 23andMe customer profile information was compiled through access to individual 23andMe.com accounts,” stated 23andMe’s spokeswoman

“We do not have any indication at this time that there has been a data security incident within our systems.”

“Rather, the preliminary results of this investigation suggest that the login credentials used in these access attempts may have been gathered by a threat actor from data leaked during incidents involving other online platforms where users have recycled login credentials.”

The data that has been made public as a result of this incident includes full names, usernames, profile photographs, sex, birthdates, genetic ancestry information, and locations.

The number of accounts the cybercriminal sold does not correspond to the number of 23andMe accounts that were compromised using exposed credentials, according to information obtained by BleepingComputer.

The ‘DNA Relatives’ feature of the platform, which enables users to locate and communicate with genetic relatives, was activated on the hijacked accounts.

The threat actor gained access to a small number of 23andMe accounts before scraping the information of their DNA Relative matches, demonstrating how choosing to use a tool might have unanticipated privacy repercussions.

According to 23andMe, the site offers two-factor authentication as an extra layer of account security and strongly urges all users to enable it.

Users should avoid using the same passwords more than once and always use secure, unique credentials for each online account they have.