An anonymous hacker is claiming to have access to "millions" of genetic profiles after gaining access to customers' 23andMe accounts.
23andMe is a genetics test kit company that offers ancestry reports by analysing a person's saliva.
The attack is believed to have been targeted towards Ashkenazi Jews and users of Chinese descent, after the hackers posted a data sample on BreachForums earlier in the week, claiming it contained 1 million data points exclusively about Ashkenazi Jews.
23andMe was founded in 2006, with one of the co-founders being Anne Wojcicki, sister of Susan Wojcicki, the former CEO of YouTube, and the ex-wife of Sergey Brin, the co-founder of Google.
On Wednesday (4 October), the hacker allegedly began selling 23andMe profiles for between $1 and $10 per account, depending on the scale of purchase with 100 profiles for $1,000 up to 100,000 profiles for $100,000.
The data was said to include information such as sex, birth year, genetic ancestry results, photos, and email addresses. Although the data does not seem to include raw genetic data.
23andMe confirmed on Friday that genuine customer data was for sale, but found no indication of a breach in its information systems. Instead, it appeared that the hacker had managed to log into individual customers' accounts by re-using credentials found in databases for hacked accounts of other services on the internet.
"We were made aware that certain 23andMe customer profile information was compiled through access to individual 23andMe.com accounts," the company said in a statement. "We believe that the threat acts may have then, in violation of our terms of service, accessed 23andme.com accounts without authorisation and obtained information from those accounts."
The company said that they "take security seriously" and recommended customers use a strong password and enable multi-factor authentication. As well as saying that they "are continuing to investigate to confirm these preliminary results."
The data posted also claims to include notable people such as Mark Zuckerberg, Elon Musk, and Sergey Brin, but it is unclear if this data is legitimate as Musk and Brin appear to have the same profile and account IDs.