Two weeks after a black hat cyber individual, referring to himself as Golem, spread stolen user data from the genetic testing organization 23andMe, he dropped an even larger data stash on the internet. This second release, rummaging through the records of approximately four million users, came to light Tuesday on a notorious digital crime site, BreachForums. Some of the revealed data packet, according to TechCrunch, aligns seamlessly with known and publicly available 23andMe data.
Golem suggests the data trove provides deep insights into individuals from Great Britain, as well as affluent lives in the United States and Western Europe. This bit of news was released without immediate comment from 23andMe. It was only a shade over a month ago, on October 6, when the company admitted the data exposure, linking the breach to a well-documented hacker method referred to as credential stuffing.
Cybercriminals employing this technique test already-public combinations of usernames, emails, and passwords from other breaches against new targets. Following this, 23andMe urged its users to strengthen their fortifications – to change their passwords and enable multi-factor authentication. In an official statement addressing the breach, the company commenced in-depth investigations with the assistance of third-party forensic experts.
It sunnily pointed a finger of blame towards their end-users for password-reuse, naming the opt-in DNA Relatives feature, which allows users to view data of others with similar genetic information, as a potential vulnerability. Theoretically, a hacker could extract data from multiple accounts after cracking just one, provided users had this feature activated. Nonetheless, many queries about this security violation linger. The exact method of the data theft, the sheer volume of swiped user data, and the ultimate intention of the hacker remain cloaked.
There are even uncertainties surrounding the timeframe of the breach. Based on an advertisement by a hacker on the Hydra cybercrime forum on August 11, touting a cache of 23andMe data – some of which paralleled the recently exposed records – the foul play may have been in progress for several months. The hacker on that forum boasted of having a whopping 300 terabytes of 23andMe user data on hand, although no evidence came forth to substantiate this claim. The magnified truth is that the full reach and impact of this data violation remain under a shroud. Even the experts at 23andMe are seemingly still in the process of assessing the full extent of stolen data, illuminating just how treacherous the smoky landscape of cybersecurity can be.