Database of people with Jewish ancestry created from stolen 23andMe data

Data stolen from genetic testing company 23andMe has been made available for sale online, specifically targeting users with Ashkenazi Jewish heritage.

23andMe is a direct-to-consumer genetic testing company that offers its 14 million users DNA tests for health insights and disease risk, as well as ancestry breakdown and finding genetic relatives. The stolen data does not contain genomic information, but includes usernames, birth years, and regional locations.

23andMe has denied that the leak is the result of a breach of their security: 'We believe threat actors were able to access certain accounts in instances where users recycled login credentials – that is, usernames and passwords that were used on 23andMe.com were the same as those used on other websites that have been previously hacked,' they said in a statement.

The database, named 'Ashkenazi DNA Data of Celebrities', corresponds to around one million 23andMe accounts overwhelmingly including people with Ashkenazi Jewish ancestry, as well as many of Chinese descent.

The reason for targeting Ashkenazi Jews is unclear:

'When data is shared relating to ethnic, national, political or other groups, sometimes it's because those groups have been specifically targeted,' threat analyst Brett Callow from online security firm Emsisoft, told Wired magazine. 'But sometimes it's because the person sharing the data thinks it'll make reputation-boosting headlines'.

Digital scams researcher Ronnie Tokazowski agreed, telling Wired: 'The fact that it's claiming to target a Jewish population or celebrities – it's not shocking. It reflects the underbelly of the internet.'

The data theft was likely further enabled by a feature on 23andMe called 'DNA Relatives', which allows users to search for other accounts with genetic matches, enabling breached accounts from Ashkenazi customers to be used to find others.

One person who appeared on the database told NBC News: 'This could be used by Nazis'.

Two people whose details appeared on the list have already filed a lawsuit in California against 23andMe, claiming that they now face a 'present and imminent threat of fraud and identity theft'. It is a class action lawsuit, meaning that other affected people will be able to join.