Hundreds of thousands of Brits who used 23andMe to test their DNA were today urged to change their passwords after a hacker named ‘Golem’ leaked 4million genetic profiles.
Golem has leaked millions of new user records and claims it contains data linked to the British Royal Family and dynasties such as the Rothschilds and Rockefellers.
Chillingly the hacker has said that the massive release is to target ‘families serving Zionism’, sparking fears it could be used to target users based on their ethnicity, especially the Jewish community.
The dataset includes four million 23andMe customers who have ancestry in Great Britain, Golem has claimed, saying the genetic profiles include ‘the wealthiest people living in the US and Western Europe.’
23andMe’s CEO Anne Wojcicki is said to be worth $850million and co-founded the business in 2006. She was married to Google co-founder Sergey Brin for eight years, becoming one of America’s richest couples until their divorce. She is yet to comment on the alleged data breach – but a spokesman for the company said it is ‘reviewing the data to determine if it is legitimate.’
For £99 23andMe users are sent a kit in the post. They spit in a saliva collection tube and send it back to a lab. Within three to four weeks a report detailing their DNA and ancestry is created online via a password-protected account. For £238 the DNA is analysed for health data including chance of cancer, heart attack and high blood pressure.
Golem has claimed that the stolen detailed DNA profiles include email addresses, photos, gender, date of birth and genetic ancestry. Posts online suggest profiles are $10 each or $1 if bulk bought in blocks of 100,000 – but a chunk of 4million were allegedly leaked online.
Do you have a 23andMe account? Email [email protected]
A hacker has released millions of additional genetic profiles stolen from DNA testing firm 23andMe, claiming that the leaked dataset includes members of the British royal family
23andMe’s CEO Anne Wojcicki is said to be worth $850million and co-founded business in 2006. She was married to Google co-founder Sergey Brin (pictured together) for eight years until the Silicon Valley power couple’s divorce. She is yet to comment on the alleged data breach
The Royal Family is seen in a file photo. A hacker claims to have published DNA from four million people with British ancestry, including members of the Royal Family
‘There are samples from hundreds of families, including the royal family, Rothschilds, Rockefellers and more,’ the hacker added, referring to the wealthy European and American families, respectively.
A spokesperson for Buckingham Palace did not immediately respond to a request for comment.
At least some of the newly leaked stolen data matches known and public 23andMe user and genetic information, according to TechCrunch, supporting the authenticity of the leak.
Golem on Wednesday posted another nearly 140,000 stolen genetic profiles from 23andMe users with German ancestry, again citing hostility towards Israel in the midst of that country’s recent war with Hamas.
The hacker accused German Chancellor Olaf Scholz of ‘serving Zionism’ and said the release consisted of one-third of the total profiles with German origin in the stolen database, threatening to release more if Germany maintains its support for Israel.
Cybersecurity experts had more questions than answers about the apparent breach.
‘Little is known about this hack. Who was responsible? Was their motivation financial or political? Was 23andMe specifically targeted? How did the hacker obtain the data?’ Brett Callow, a threat analyst with cybersecurity firm Emsisoft, told DailyMail.com.
‘We don’t yet have conclusive answers to any of the questions. One thing that is obvious, however, is that giving your DNA to a third-party is not without risk,’ he added.
The latest tranche of leaks follows offers from the hacker to sell stolen DNA profiles, and a prior leak of millions of profiles of people with Jewish and Chinese ancestry.
‘These breaches are getting more brazen and more worrisome,’ Dimitri Sirota, the CEO of data security firm BigID, told DailyMail.com.
‘They are targeting contextual identifiers like membership in an ethnic group. This could be used for targeted campaigns by ethnicity, race, gender, political affiliation or membership in another group,’ he added, saying it raised concerns about cyber breaches turning into ‘hate crimes’.
Golem, the hacker posting the stolen data, appears to have initially offered the profiles for sale for $10 per profile or less if bought in bulk
The email received by customers informing them of the data breach
23andMe has said it did not detect any system-wide breaches, and claimed the data may have been stolen from individual users who re-used passwords that had been breached on other sites.
If that is the case, the hackers may have only breached a limited number of accounts, but scraped millions of profiles using the ‘DNA Relatives’ feature that 23andMe users can opt into to find information about family members.
Golem, the hacker posting the stolen data, appears to have initially offered the profiles for sale, and wrote on Wednesday: ‘I would like to remind you that even the data I’m sharing here is extremely valuable.’
But the hacker in the recent leaks sounded more politically motivated, lashing out at Israel and citing a recent explosion at a hospital in Gaza that killed hundreds as motive for releasing the new genetic profiles.
Palestinians blame Israel for the blast, while Israel says the hospital was struck by a misfired rocket launched by militants within Gaza.
‘I’m not a Muslim, but I’m holding myself back with difficulty from uploading hundreds of [terabytes] of data to torrents due to the despicable Israel attacking the hospital,’ wrote Golem.
23andMe is a leader in the $3 billion genetic testing market. For prices up to $200, customers can take a test which reveals their ethnic background
23andMe said in a statement on Wednesday: ‘We recently learned that certain profile information – which a customer creates and chooses to share with their genetic relatives in the DNA Relatives feature – was accessed from individual 23andMe.com accounts without their authorization.
‘We immediately started an investigation and do not have any indication at this time that there has been a data security incident within our systems, or that 23andMe was the source of the account credentials used in these attacks.
‘Our investigation indicates the threat actor was able to access certain customer accounts in instances where users recycled login credentials – that is, usernames and passwords that were used on 23andMe.com were the same as those used on other websites that have been previously hacked.
‘We have since notified customers and taken additional security measures, including requiring all accounts to go through a password reset and advising customers to enable multi-factor authentication. We are working with outside forensic experts as part of our ongoing investigation, as well as with federal law enforcement.
‘Today we were made aware that the threat actor involved in this investigation posted what they claim to be additional customer DNA Relative profile information. We are currently reviewing the data to determine if it is legitimate.
‘Our investigation is ongoing and if we learn that a customer’s data has been accessed without their authorization, we will notify them directly with more information.’
23andMe is a leader in the $3 billion genetic testing market. For prices up to $200, customers can take a test which reveals their background and can also identify gene variants linked to diseases like Alzheimer’s and Parkinson’s.