Data profiles of 23andMe users are being sold online by hackers. Those responsible posted on the dark web site BreachForum about their collection of “the DNA profiles of millions,” being sold for around $10 USD (around $13.50 CAD) per profile.

BreachForum user Golem said the data includes “tailored ethnic groupings,” the “world’s top business magnates,” and “dynasties often whispered about in conspiracy theories.”

As proof, the hackers posted a sample on BreachForums: data about 1 million individuals, all of whom are supposedly of Ashkenazi Jewish descent. According to NBC, the people in this database are those who have Ashkenazi Jewish in one of their top three “populations,” as they’re sorted by 23andMe.

At first, 23andMe claimed there was no evidence of a breach. Now, it has acknowledged that data has been “compiled from individual 23andMe.com accounts without the account users’ authorization” and that there is an ongoing investigation with “the assistance of third-party forensic experts” and “federal law enforcement officials.”

23andMe speculates at the time of this writing that the data was not accessed through an external assault. Instead, the hackers were able to use individuals’ login credentials, accessed through other leaks. If the user had the same login credentials on 23andMe.com as they did elsewhere, the hackers could access the account and scrape data.

A spokesperson told The Record that the hackers probably did not access the account of everyone included in the leak, but “rather gained unauthorized entry to a much smaller number of 23andMe accounts and scraped data from their DNA Relative matches.”

A researcher approached The Record to comment on the data, having downloaded and analyzed two databases from the hackers.

“It’s very concerning that 23andme has such a big loophole in their website design and security where they are just freely exposing people’s info just by typing a profile ID into the URL,” they said. “Especially for a website that deals with people’s genetic data and personal information. What a botch job by the company.”

The researcher opted to stay anonymous, saying: “I’ve tried contacting 23andme however they keep denying that there is anything wrong and are replying with cookie cutter responses. I don’t know how to prove this without doxing myself. But this is pretty serious and no one is taking it seriously.”

23andMe says users will be contacted directly if their data was part of the leak.

23andMe just sent this update to customers, saying it will contact them separately if their data has been accessed without their authorization pic.twitter.com/wo2X2XvbNY

— Shannon Liao (@Shannon_Liao) October 10, 2023

Targeted communities

The hackers made two databases available on BreachForum, and are now selling access to the rest. The first was the one containing records of Ashkenazi Jews.

According to NBC News, the database is called “ashkenazi DNA Data of Celebrities” but it noted that most of the individuals aren’t famous. NBC was also able to verify the authenticity of the data and spoke to one individual who appeared in the data.

“Crazy, this could be used by Nazis,” that individual said.

Ronnie Tokazowski is a longtime digital scams researcher who spoke to Wired about the leak.

“The fact that it’s claiming to target a Jewish population or celebrities—it’s not shocking. It reflects the underbelly of the internet,” Tokazowski said.

The second database included the profiles of 300,000 people of Chinese descent.

“When data is shared relating to ethnic, national, political or other groups, sometimes it’s because those groups have been specifically targeted, but sometimes it’s because the person sharing the data thinks it’ll make reputation-boosting headlines,” Brett Callow, a threat analyst at security firm Emsisoft, told Wired.

Stock manipulation allegations

In addition, 23andMe is facing allegations about its stock value due to claims made on BreachForum and Reddit.

DarkWebInformer on X (formerly Twitter) posted a screenshot of a user, whose username is blurred, saying:

“Some users on Reddit have claimed that we are manipulating the stock value of 23andMe. They are mistaken! …those who shorted the stock were close relatives of the CEO. In fact, the company management learned that they were hacked 2 months ago, and they started a quick sell-off wave before the hacking news spread.”

23andMe stock did drop around that time, from $1.92 USD at the end of July to $1.10 USD at the end of August. At the time of this writing, its stock is $0.90 USD. The peak of its stock in 2023 was $2.87 USD in February.

MobileSyrup has reached out to 23andMe for comment, but it has not responded publically to these allegations at the time of this writing. Other organizations, such as TechRadar, have reached out on this subject and received no comment yet.

Sources: TechRadar, The Record, Wired, NBC News, TechRadar