Share this article on:
Following a credential stuffing attack that saw the genetic details of millions of customers for sale online, US officials are seeking answers.
23andMe, a company specialising in genetic testing and ancestry research, confirmed on 6 October that it had fallen victim to a credential stuffing attack but that its internal systems were otherwise secure and that no data had actually been “breached”.
Nonetheless, the unknown hacker was able to scrape data from 20 million accounts, which was then offered for sale on a notorious hacking forum. Some of the data had also been bundled into different datasets based on ancestry, including one involving limited genetic information belonging to about 1 million Ashkenazi Jews.
But now, Republican Senator Bill Cassidy has penned a letter to the company’s chief executive, Anne Wojcicki, asking a range of questions regarding the incident.
“What search tools and algorithms does 23andMe use to allow large-scale downloads of user data based on specific demographics?” the letter, sent on 20 October and demanding a response by 3 November, asked. “How did hackers compile such a comprehensive list of impacted users to the dark web?”
“How was mass user data, allegedly hundreds of personal accounts per compromised user account, obtained by access to a few individual accounts?”
One of the 23andMe features that the hacker abused was the ability for 23andMe customers to opt-in to having their data shared with genetic relatives.
The company is also facing 16 class action lawsuits filed by its customers, asking similar questions of 23andMe. Some of the lawsuits claim that the leaked data represents the possibility the victims could be exposed to an increased chance of identity theft, while another is concerned with the possibility the leak could lead to a rise in hate crimes.
23andMe has not responded to requests for comment from the media.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.