October 19, 2023 at 12:05PM
A cybercriminal using the alias “Golem” has uploaded a second batch of stolen profile data from biotech company 23andMe. The new leak contains an additional 4.1 million records, mainly from UK users, and appears to have a religious motivation. Golem targeted the Ashkenazi Jewish ethnic group in the first leak and made antisemitic statements in the second leak. German users are also affected. 23andMe is currently reviewing the data to determine its legitimacy. The company believes the breach was the result of a credential stuffing attack rather than a security vulnerability. Multiple class-action lawsuits have been filed against 23andMe.
Takeaway 1: A cybercriminal using the alias “Golem” has claimed to have uploaded a second batch of stolen profile data from biotech company 23andMe. The first batch contained 1 million records of people with Ashkenazi Jewish markers and targeted the ethnic group.
Takeaway 2: The second leak includes an additional 4.1 million records, mainly of UK users, and is also considered to be religiously motivated. German users are also impacted, with the cybercriminal claiming that only one-third of German-origin users are included in this batch.
Takeaway 3: Golem made an antisemitic statement in the BreachForums post, suggesting that the new data includes more Ashkenazi DNA samples and characterizing them as belonging to wealthy Zionists due to their genetics. They also accused German chancellor Olof Scholz of “serving Zionism.”
Takeaway 4: 23andMe is currently reviewing the data to determine its legitimacy. They are investigating the breach and will inform affected customers if their data has been accessed without authorization.
Takeaway 5: The initial breach occurred on October 2, when Golem posted a link to 1 million records of 23andMe profiles with Ashkenazi Jewish markers on BreachForums. The leak was likely the result of a credential stuffing attack rather than a security vulnerability.
Takeaway 6: The leaked data affected accounts that opted into the DNA Relatives feature, where users can be paired up with others based on shared DNA. Some accounts were directly accessed, while others had their information stolen because it was shared with a compromised DNA relative.
Takeaway 7: The data included in DNA Relative profiles consists of various attributes such as last login date, relationship labels, predicted relationship, and percentage of DNA shared. Display names can be configured to show varying levels of transparency.
Takeaway 8: The breach has led to several class action lawsuits against 23andMe, alleging the company’s failure to implement adequate cybersecurity procedures and protect users’ personally identifiable information. The claims also include negligence, invasion of privacy, breach of contract, and breach of implied contract.