A hacker on the infamous hacking site BreachForums is advertising DNA profiles stolen in a credential-stuffing attack on genetic testing company 23andMe Holding Co. for sale.

The listing, by a user named “Golem,” offers “DNA profiles of millions, ranging from the world’s top business magnates to dynasties often whispered about in conspiracy theories,” suggesting Ashkenazi Jews, though it was reported that some of Chinese descent might also be part of the breach. The data is said to include tailored ethnic groupings, individualized data sets, pinpointed origin estimations, haplogroup details, phenotype information, photographs, links to hundreds of potential relatives and raw data profiles.

The hacker is offering profiles for sale at the rate of $10 each and 100 profiles for $1,000, with the pricing progressively coming down to the equivalent of $1 a record or 100,000 profiles for $100,000.  The hacker is also offering incremental payments for purchases more than 10,000 profiles.

Details about when the data was stolen are not entirely clear. The data first appeared for sale on BreachForums on Oct. 2, with an original listing, since deleted, claiming that 20 million records had been stolen.

How the data was stolen has been disclosed, with a spokesperson for 23andMe telling Bleeping Computer that those behind that theft used exposed credentials from other breaches to access 23andMe accounts to steal sensitive data.

“We were made aware that certain 23andMe customer profile information was compiled through access to individual 23andMe.com accounts,” the 23andMe’s spokesperson said. “We do not have any indication at this time that there has been a data security incident within our systems.”

Using the compromised credentials, the threat actor then scraped the data of their relative matches. Within a given 23andMe account, users are given access to a DNA relative feature that allows them to find potential relatives. It was this feature that opened the door to more data to be stolen through each compromised account.

The data theft has raised concerns about security standards in the DNA industry.

“This is a worry many in the infosec community had regarding the DNA mapping industry,” Ken Westin, field chief information security officer at security information and event management company Panther Labs Inc., told SiliconANGLE. “For the most part, the protection of DNA data has been unregulated — at best, it’s been treated like personally identifiable information.”

Westin said the slow pace of regulation and action by law enforcement around the use and protection of DNA data has created “a perfect storm for adversaries to exploit and profit from incredibly sensitive data. I’m afraid to say this is just the first shoe to drop when it comes to the breach of DNA data.”

Photo: scalleja/Flickr