 Oh boy, I had a feeling that something like this was going to happen eventually. It was just a matter of time. So you know those genetic ancestry services that started popping up like 15 plus years ago that were like, hey, send us your DNA and we'll tell you if you're part African or if you're related to Thomas Jefferson. Spit in this cup and we can tell you that you're 10% Japanese so that you can justify your addiction to foreign children's cartoons. But I don't think any of the people who participated in this New Age genealogy service ever realized that by spitting in that cup and sending it off to some corporation you're trusting those guys to safeguard your genetic material. You know, the first thing that the police look for in some of the worst kinds of cases like assault and murder and break-ins and most other crimes that you'd get a decade or more in jail for. Man, it would really suck if someone did a murder and then they threw a cup of your spit in the victim's face. So this data leak here that various publications are sourcing from was originally posted on breach forums by a user named Gollum. Now, I know some of you are probably wondering, how could that be? How could it be on breach forums since the original breach forums owner, Pom Pom Purin, was arrested by the FBI last year? Well, it turns out that there was another breach forum admins by the name Baphomet who was eventually able to get the forum back up and running again on a new TLD and a new Onion site. Now, this post here actually mentions another post from another database leak site called Hydramarket that has a more detailed thread from what I'm guessing is another hacker that was posting leaked 23andMe data back in August. So it starts off by talking about how 23andMe analyzes your DNA with your saliva and he talks about what's in the data that he possesses. So it's your personal information, family background, ancestry, compound, haplogroup, health traits, surveys, and raw DNA data. So he says that the total size is over 300 terabytes and he sent an email to 23andMe company for informational purposes about security vulnerabilities. But instead of them taking the matter seriously, they asked irrelevant questions. You know, they weren't taking this guy seriously and apparently they tried to learn the vulnerability. Like it kind of sounds like he was trying to get them to pay him a bug bounty, but they were trying to figure out what the bug was and fix it without actually paying any money. And then he goes down to say that the total price for all of the data, like if you wanted, I guess, is 300 terabytes of data, would be $50 million. Data can also be prepared specially based on location and ethnicity. The cost for 1,000, I guess, different people from this database would be 10,000. Now below in this thread, there's some screenshots of what appear to be private information from 23andMe profiles of Sergey Brin, the co-founder of Google, and Ann Wojcinski, the CEO of 23andMe. By the way, those two were husband and wife for almost 10 years. So Google and 23andMe were literally in bed with one another. I mean, that's just crazy how intertwined some of these Big Tech CEOs are. But it turns out that these aren't the only Big Tech Ashkenazis that had their information leaked. Another post on breach forums that was referencing Gollum's deleted post was posted, but this time the thread title was DNA data of celebrities, 1 million Ashkenazi repost, which appears to be the same dataset that Gollum posted and this is probably the screenshot that you most likely saw in various news publications if you had heard a little bit about this already. So yeah, it looks like it's been a pretty rough week. I mean, first the data of 1 million Jewish celebrities gets leaked and then the Iron Dome got overwhelmed by rockets and now terrorists are taking up donations in untraceable cryptocurrencies. All of this really has people wondering what the genetic data of 1 million Jewish celebrities is going to be used for. Cause I mean, it's been posted and reposted. It's been floating around on various forums on the internet. Well, I don't suppose that all 1 million of them are celebrities. I guess whoever packaged up this data, it almost seems like they were filtering for Ashkenazi Jews and they filled, figured that that was the most effective way to get a really long list of Hollywood celebrities and other big tech celebrities, which I guess kind of makes sense. I mean, that is a good way to unironically get a lot of them into a database. Now, a lot of people are wondering how this data was actually obtained from 23 and May because 23 and May are not exactly claiming that they got hacked. So if we take a look at their blog post about the incident, the language here is very, very interesting. So they say we recently learned that certain 23 and May customer profile information that they opted into sharing through our DNA relatives feature was compiled from individual 23andMe.com accounts without the user's authorization. So, you know, right up front, they're letting you know, hey, you went and use this feature that I'm sure they encourage you to use. I'm sure that they were pushing you. Oh, yeah, use this so you can see your heck in DNA relative so that you can bother random people on the other side of the planet that your great, great, great, great grandmother banged and didn't tell you about it. After learning of suspicious activity, we immediately began an investigation. Well, we are continuing to investigate this matter. We believe threat actors were able to access certain accounts and instances where users recycled login credentials. That is user names and passwords that were used on 23andMe.com were the same as those used on other websites that had been previously hacked. So basically the users of 23andMe fell victim to what we call a credential stuffing attack because people are bad at the internet and they reuse the same passwords for protecting their sensitive genetic and family data that they would use for random shady internet forums that get hacked every other weekend and get the whole databases posted by some rival admins in their Discord group. But 23andMe is ultimately at fault for this. One, they're at fault for not forcing users to better secure their data with things like two-factor authentication or making the users change their passwords every quarter or every six months. I mean, that's a pretty common thing in a lot of corporations and there's even some banks that do that. Or they could possibly even just check if the password that the user wants to use when they're signing up for the service was in a known database leak. I mean, there's actually a way to hook that into various forums and stuff. It's available in WordPress, so I'm sure that it's an open source thing that you can easily add to any type of online service. And that would have mitigated the threat depending on how recently this database or how fresh or how available it is that was used for the credential stuffing attack was. You know, by gaining access to one poorly secured account, you're then able to see at least somewhat limited private information on all of that person's family members. Because, you know, these family members automatically get linked up. Or I guess they only get linked up when you opt in to sharing through our DNA relatives feature, which again, I'm sure this is something that they push on all their users and probably tell you, oh yeah, there's not even really a point in using the service without enabling DNA relatives. So, you know, maybe you had your account set up securely. You had two-factor authentication. You created a password with a password manager. But your Aunt Helen, who used Google Play cards to pay off her taxes when an Indian guy from the IRS called her up last year, she's obviously going to have her account pwned and your information is at least partially going to get leaked along with it. So, the only way that I can really see to mitigate a threat like this is for you to have not been using 23andMe in the first place. But, you know, even then, it depends on what the goal is of this database. Because, you know, that kind of raises some red flags since there's people that are really kind of zooming in on the like 1 million plus Jewish people or whatever. Like, if the goal is to track down the people in these databases and track down their families and do something to them, it doesn't matter if you didn't use 23andMe or Facebook or anything else. You could be a complete ghost on social media, but Aunt Helen's mistake could still lead to somebody tracking you down depending on the PII that they collected. I mean, if they figured out what town she's in and, you know, you live right down the street from her, that could be some really bad news. So, if your loved ones were using this 23andMe service, let them know about this data incident, especially since 23andMe is seeming to really downplay it both on their blog and on social media. Let them know that this service has been breached. They should probably start watching their backs a bit and start doing some more research on practicing good opsec in order to avoid being parts of leaks like this in the future.