Hacker Attempts to Sell 23andMe’s Stolen Data on Ashkenazi Jews
Connecticut Attorney General William Tong noted the leak may especially endanger targeted groups.
It is now being reported that a hacker is listing millions of pieces of stolen data from the family genetics site 23andMe for sale online.
The genetic testing company 23andMe confirmed on Friday that data from a subset of its users has been compromised. The company said its systems were not breached and that attackers gathered the data by guessing the login credentials of a group of users and then scraping more people’s information from a feature known as DNA Relatives. Users opt into sharing their information through DNA Relatives for others to see.
Hackers posted an initial data sample on the platform BreachForums earlier this week, claiming that it contained 1 million data points exclusively about Ashkenazi Jews. There also seem to be hundreds of thousands of users of Chinese descent impacted by the leak. On Wednesday, the actor began selling what it claims are 23andMe profiles for between $1 and $10 per account, depending on the scale of the purchase.
The data includes things like a display name, sex, birth year, and some details about genetic ancestry results, like that someone is, say, of “broadly European” or “broadly Arabian” descent. It may also include some more specific geographic ancestry information. The information does not appear to include actual, raw genetic data.
23andMe is a company that specializes in DNA testing that helps users learn more about their ancestry, as well as potential health conditions and traits that may be inherited..
Since news of the hack, many customers have expressed worries their ethnicity and other sensitive information could be used against them if leaked. A U.S. lawmaker last week sought more detail on the leaks.
Several users on social media on Tuesday said they got the email, but it was unclear how many customers had been informed. 23andMe spokeswoman Katie Watson declined to comment, citing its ongoing probe, and referred to the blog where the company said on Oct. 20 that it was temporarily disabling features in the “DNA Relatives” to protect user privacy.
Earlier, the company had said hackers may have used credentials leaked from other websites to breach 23andMe accounts – a technique known as ‘credential stuffing’. It advised users change their login information and enable two-factor authentication to prevent compromise.
Connecticut Attorney General William Tong is seeking information from the company about the breach.
“I understand that the 23andMe breach resulted in the targeted exfiltration and sale on the black market of at least 1 million data profiles pertaining to individuals with Ashkenazi Jewish heritage. According to reports, a second leak revealed the data of hundreds of thousands of individuals with Chinese ancestry, also for sale on the dark web. Finally, most recent reports point to a third leak of information from 23andMe’s “DNA Relatives” feature containing the genetic ancestry information of an estimated 4 million individuals. I also understand from those reports that the threat actor claims to possess more than 300 terabytes of 23andMe data,” Tong said in an inquiry letter to the company.
Tong noted that the leak may especially endanger the targeted groups.
“The increased frequency of antisemitic and anti-Asian rhetoric and violence in recent years means that this may be a particularly dangerous time for such targeted genetic information to be released to the public,” he wrote.
The company has not yet notified the attorney general’s office of the data breach as required by law, Tong said in a release. He said the company may also be in violation of the Connecticut Data Privacy Act, which imposes data security obligations on companies that collect such data.
Interestingly, last year at this time, a group of geneticists from the Hebrew University of Jerusalem and Harvard Medical School published their DNA study that provided insights into medieval genetic diversity and illuminated the ‘founder event’ of the formation of the Ashkenazi Jewish population.
About half of Jewish people around the world today identify as Ashkenazi, meaning that they descend from Jews who lived in Central or Eastern Europe. The term was initially used to define a distinct cultural group of Jews who settled in the 10th century in the Rhineland in western Germany.
…Erfurt’s medieval Jewish community existed between the 11th and 15th centuries, with a short gap following a massacre in 1349. At times, it thrived and was one of the largest Jewish communities in Germany. Following the expulsion of all Jews in 1454, the city built a granary on top of the Jewish cemetery.
In 2013, the granary stood empty and the city permitted its conversion into a parking lot. This required additional construction and an archaeological rescue excavation. The genetics team received a special permit from the local Jewish community, which allowed the researchers to retrieve DNA from detached teeth that had already been collected as part of the rescue excavation.
The analysis revealed two distinct subgroups within the remains: one with greater Middle Eastern ancestry, which may represent Jews with origins in Western Germany, and another with greater Eastern and Central European ancestry. The modern Ashkenazi population formed as a mix of these groups and absorbed little to no outside genetic influences over the 600 years that followed, the authors said.
Hopefully, the main consequence of this event will be stronger protections for data implemented by DNA testing firms. Genetics provides a great deal of historical insight and health data. It would be shameful to allow hackers and terrorists to poison its usefulness.
DONATE
Donations tax deductible
to the full extent allowed by law.
Comments
It seems to me that the hacker is primarily interested in money. I would be more interested in finding out who wants to pay money for this info.
It would be great if the hacker is identified, captured and maybe data recovered. If it is already out, then capital punishment. The SOB knows they are selling death.
People think that technology will save us.
Wait I thought that jews were supposed to be a religion and not a race? What is religious DNA?
Nope. Jews are a nation that has a religion. “Race” used to be synonymous with “nation”, so older sources speak correctly of a “Jewish race”, an “American race”, etc. But since probably a century ago its meaning has narrowed to pure genetics.
The main difference between nations and races as currently defined is that people can join nations they were not born into, but the closest they can come to joining other races is to “pass”, which under the current definition means pretending to be of that race, not actually being it.
A good example of that is this from Kipling’s poem “Et Dona Ferentes”, written in 1896:
Jews aren’t a “nation”. Jews live in various nations. Jews are a religion to which anybody can convert.
Israel is a nation that has a religion.
So what defines membership in this ‘Nation’ since religion isn’t the defining characteristic?
“Jewish” is both a religion and a national identity, and it has been ever since the Babylonian kings allowed some Jews to return to their homeland and begin fabricating their religion and nation.
Historically, before Christianity every nation, tribe, or city-state had its own religion. E.g., in ancient Athens the Athenians worshiped mostly the same gods as other Greek city-states, but the details of that worship were quite different. Athens may or may not have been the only one that had original plays written and performed for their religious festivals, but it certainly is the only one where those plays were worth preserving for 2500 years.
In that era, Judaism was explicitly the religion of the Hebrew nations. And it still is. Judaism does not seek converts, and makes it possible but difficult for those that come to it seeking to convert. It’s easier for a Lithuanian to become an American citizen than it is for a Baptist to become a Jew.
Everyone knows DNA can’t tell religion. So logically, the Jewish ethnicity is the same as other genetic ethnicities such as French, German, Scandinavian or Native American.
Sending your DNA to a commercial enterprise is foolhardy. They can get hacked, they can get bought, they can get subpoenaed, or they can be untrustworthy themselves from day one. Data on the Internet is forever, as Barbra Streisand famously found out. Once you surrender your information, assume the world has it.
Correct. DNA data can be misused.
Recently, there are two distinct criminal law issues where a murderer and a rapist were found using DNA data.
In the first instance, the murderer was found using DNA relatives. The police used DNA from the crime scene to get in the DNA registry. Then they obtained a list of known relatives in the area and narrowed the suspects.
In the second, the police used DNA from more than 23 years ago and was able to find DNA relatives that places the perpetrator at the scene of the rape.
In one of these cases, it appears that the investigators created false profiles using someone else’s DNA.
Imagine what could happen if a database that large could be compromised.
Under no circumstances should anyone use one of those sites. The government routinely demands genetic data from them and much like your personal data at Google, Facebook and ATT they just give it up