By Raphael Satter
WASHINGTON (Reuters) – A hacker is advertising millions of “pieces of data” stolen from the family genetics websites 23andMe, according to posts made to an online forum where digital thieves often advertise leaked data.
23andMe said in a statement Friday that while an unspecified amount of “customer profile information” had been compiled “through access to individual 23andMe.com accounts,” the company itself had not been breached.
“We do not have any indication at this time that there has been a data security incident within our systems,” the statement said.
The statement went on to say that a hacker may have collected passwords stolen from other sites and reused them in a bid to hijack 23andMe accounts. The technique – known as credential stuffing — is one reason why cybersecurity experts recommend against using the same password for different sites.
A second layer of password protection, known as two-factor authentication, can also help frustrate these kinds of hacks.
Reuters could not immediately find a way to contact the hacker, at least one of whose posts has since been removed from the forum. The size of the breach wasn’t immediately apparent and the hacker provided contradictory figures and description of what they had stolen.