Biotech company 23andMe, known for its DNA testing kits, said the leak occurred through a credential-stuffing attack. A credential-stuffing attack involves user information that has already been compromised (usernames and passwords, for example) from one organization, which a hacker obtains and attempts to reuse with a second organization — in this case, 23andMe.
Because of the nature of credential-stuffing, it does not appear this was a breach of the company’s internal systems. Rather, accounts were broken into piecemeal. The perpetrators of this attack appear to have obtained quite sensitive information from the compromised accounts (genetic testing results, photos, full names and geographical location, among other things).
Read more…
Source: Engadget