Any chance of a translation? How did the hacker get the data? Obviously what the hacker is claiming contradicts statement from 23andMe.
I am by no means an expert on the technicalities of all of this, but my basic understanding is this:
The initial breach is claimed to have been made by data stuffing. This is where usernames and associated passwords stolen from another account with a different company (i.e. from a different data breach) have been speculatively tried against 23andMe logins.
Unfortunately it is quite common for some people to use the same username and password across many accounts with different organisations, and datasets of such stolen information can readily be purchased if you know where to look, e.g. on the dark web. So whilst not all the logins tried will have been successful, there were probably quite a few logins achieved, giving access to those users accounts.
The hacker then probably used packet sniffing, a form of capturing the underlying internet data traffic involved in sending and receiving requests such as obtaining the details of DNA matches related to the compromised accounts, and identified a sequence or sequences of data strings that could be sent in a particular way to access the information for any individual they wanted - as I read it from one of the posts on the subject, within an average of 50 attempts at sending particular data strings for each account they wished to access. It seems that the data required to be sent to access those accounts might have followed certain patterns that the hacker was able to identify and use to their advantage, and was not as random as 23andMe perhaps believed when the software was designed.
Of course to do this manually would take hours for each individual attempt, and probably more than a lifetime to obtain data on millions of users, but once the initial data strings in the transmitted packets and the patterns in the sequences generated were discovered, an automated computer script could be created that would generate multiple such request in a fraction of a second and capture the information desired very quickly.
I gather that 23andMe have only admitted to the data stuffing attack using stolen username and password credentials, but the rest as claimed by the alleged hacker elsewhere seems plausible in view of the fact that 23andMe have since disabled their DNA tools and now My Heritage have also done likewise, possibly as a precaution until they can investigate and verify the security of their own system, or perhaps because they now know that it is also vulnerable to a similar technique.
I may be wrong, so don't take the above as being factually correct, but it's just my interpretation from what I have seen in various posts on the subject elsewhere.
