The genetic testing company 23andMe is facing a class action lawsuit over its security practices after hackers stole and published data about 1 million people with Jewish ancestry.
The data breach was revealed on Friday after hackers published a database titled “ashkenazi DNA Data of Celebrities” on dark web forums. Most of the people on the list are not famous, and the database includes information such as display names, sex, birth year, and some details about users’ genetic ancestry results.
The hacker from the initial leak offered to sell data profiles in bulk for $1 to $10 per account. But as many as 7 million accounts may be in the sale — half the users of 23andMe. It is unclear whether whoever compiled the Ashkenazi list — which actually has 999,999 entries — is the same as the group that put it up for sale, NBC News reported.
23andMe is treating the leak as authentic and investigating the incident. It is also requiring its users to change their passwords.
“We are taking this issue seriously and will continue our investigation to confirm these preliminary results,” the company said in a statement.
It is also unclear why the data was stolen, and whether it is solely focused on Ashkenazi Jews. (The hacker also downloaded a separate file with data on more than 300,000 users with Chinese ancestry.)
“When data is shared relating to ethnic, national, political or other groups, sometimes it’s because those groups have been specifically targeted, but sometimes it’s because the person sharing the data thinks it’ll make reputation-boosting headlines,” Brett Callow, a threat analyst at security firm Emsisoft, told Wired.
23andMe confirmed last week that its data had been compromised but said that its systems were not breached. Instead, the company believes the hackers were able to get access to recycled passwords that had already been hacked and leaked on other websites and then used that information to scrape data through 23andMe, which gives its users access to each others’ genetic information to find relatives through a popular feature called “DNA Relatives.”
“This incident really highlights the risks associated with DNA databases,” Callow said. “The fact that accounts had reportedly opted into the ‘DNA Relatives’ feature is particularly concerning as it could potentially result in extremely sensitive information becoming public.”