23andMe user data is being offered for sale online after the data was apparently stolen from compromised accounts.
According to BleepingComputer, the DNA testing company confirmed that customer data was stolen in a credential-stuffing attack, using credentials that were exposed in other breaches.
“We were made aware that certain 23andMe customer profile information was compiled through access to individual 23andMe.com accounts,” 23andMe’s spokesperson told BleepingComputer.
“We do not have any indication at this time that there has been a data security incident within our systems.”
“Rather, the preliminary results of this investigation suggest that the login credentials used in these access attempts may have been gathered by a threat actor from data leaked during incidents involving other online platforms where users have recycled login credentials.”
The stolen data includes “full names, usernames, profile photos, sex, date of birth, genetic ancestry results, and geographical location.”