Call it what you may – a hacking attack, a breach, loophole, compromise, it doesn’t matter – there’s an issue at 23andMe, allegedly compromising the data of 7 million+ accounts – and you need to take action now.
I’m telling you what you need to do and why, then providing additional information. I’m presenting this weekend and very deadlined on other work as well, so this article is short and not-so-sweet.
- Change your password at 23andMe TO A COMPLEX PASSWORD NOT USED ANYPLACE ELSE.
- Consider enabling 2-factor authentication at 23andMe.
This issue has been reported to 23andMe by several people. This issue seems to have existed for several weeks, but those details don’t really matter right now.
While on October 3rd, 23andMe initially said that they “conducted an investigation” and “had not identified any unauthorized access” to their system, their press statement today was different, as reported at Wired.
What changed in the past couple of days is that this compromise became more widely known on various sites and servers, making its way into the media.
This detailed user information is for sale on the dark web. Jewish people may have been targeted, but a lot is unknown.
I have not seen these amalgamated breached files myself, but I worked with a security person who has to verify this information. That was today, and when we finished, this had blown up publicly today.
Briefly – What Has Happened?
Hackers have compiled information from multiple data breaches over time from companies across the web. That’s been going on for a long time.
Hackers have been using that information to sign into accounts at 23andMe.
Here’s how that works.
23andMe uses your email as the first step of signing on, then a password. If you use the same password at lots of places, and hackers compile breach information, they will know that the password “Fluffy” is associated with your email address, and they found it six different times in various data breaches.
So, they went to 23andMe and attempted to sign in with your email. Next, they tried “Fluffy” as your password, and voila, they were in – as you. Now the hacker has access to your profile information, not through any negligence at 23andMe, but because of data breaches elsewhere combined with an insecure and non-unique password.
Hackers then have access to DNA Relatives, shared matches, ethnicity, traits, and medical information. Furthermore, they can view the information of your matches who have opted to share their health information with you. Remember, the hacker is now operating as “you.”
Passwords
Many people reuse passwords at different sites because they are easy to remember.
DON’T REUSE PASSWORDS. Ever. Make them unique, hard or impossible to guess, and certainly not Fluffy or any other word that can be associated with you via social media. Also, never, ever answer those social media “fun” questions because you are unnecessarily giving information away publicly. Bad actors aggregate that information too.
You need to take remediation action immediately to secure your account.
Go to Settings under your initials in the upper right-hand corner of your account page.
Then select Password and follow the steps.
Accounts You Manage
This also means that if you manage other people’s DNA kits within your own account, their accounts have been compromised through yours (if your account has been compromised), including any medical information.
Articles
Here are articles published within the past 24 hours for your review. Unfortunately, PC Magazine published a thread from X (formerly Twitter) where someone used a screenshot from my blog (without permission) which is part of how I got dragged into this and why I got notified.
- https://www.pcmag.com/news/23andme-warns-of-hacker-breaking-into-user-accounts
- https://cyberscoop.com/23andme-user-data-theft
- https://www.bleepingcomputer.com/news/security/genetics-firm-23andme-says-user-data-stolen-in-credential-stuffing-attack/
This thread was posted on Twitter two days ago. This data “leak” had been reported before that to 23andMe and may have existed since August.
The dark box is the hacker saying that if 23andMe does not announce a data breach within 24 hours, they will start sharing the user data. I’m not posting the threat here, but you can view it on X (former Twitter.)
23andMe gave their standard canned reply.
Then I inadvertently got dragged into this mess because, next, someone grabbed a screenshot from one of my blog articles from 2019, which exposed my name – then PC magazine published a screenshot of their posting.
In that article, I was writing about a 2019 relationship between 23andMe and FamilySearch, hence the arrow. I believe that the Twitter poster grabbed the image as an example of the 23andMe DNA Relatives user interface, but it was an unfortunate choice. They should have used their own, not scalped mine.
We really have no idea what may be discovered as this situation evolves, but at this point, 23andMe has stated that they are investigating.
The Second Issue
It appears there’s a second issue, too. The person who notified me of the original issue also told me that signing on to your own account, then replacing your profile ID with someone else’s profile ID displays their name and at least some of their information.
I’ve blurred my profile ID in the above string.
They had personally reported this to 23andMe, including emailing the CEO personally, and received the same boilerplate message as reported by others. Here’s a quote:
“Hi [xxx- name redacted] – Following a claim that someone had gained access to and is selling certain 23andMe customer data, we conducted an investigation. We have not identified any unauthorized access to our systems. We will continue to monitor the situation.”
I tried this with my matches’ IDs and could see their information, but of course I should be able to access my matches’ profiles, so I didn’t find this disturbing. I tried this with people I had invited to connect with that I don’t match, and I could see those as well. That too is expected. Although, I must admit that I was rather startled to be able to access it that way.
I tried randomly replacing digits and characters in my own profile ID and that didn’t work. But then again, there’s no way to know if the number I created was actually a valid profile ID.
Then, I signed on to an account of someone whose account I manage completely separately from my account and copied the profile ID of a second account I manage separately from my account. Those two people don’t know each other and are not related.
I could see the identity of the person whose profile ID I copied into the string, replacing the profile ID of the account I was signed into.
I saw the information below.
I’ve blurred the person’s name, initials in the purple circle, and their “about” information. However, notice that their current location is also exposed, along with their full name.
The good news is that I can’t see anything else. However, I shouldn’t be able to see this much.
I don’t think I could have done this:
- Without first being signed into a valid account AND
- Without knowing the profile identification, which I don’t think I could have found unless the person gave it to me, or unless it’s in the hacked information, which I understand that it is. However, if the hacked information includes the profile ID, that means the hackers are already into that account, so they don’t need to do this.
To be on the safe side, I’m removing “about” information other than ancestral surnames in my account and the accounts I manage.
I have never been comfortable with my current location being shown to anyone, including matches.
If you want to remove your location information, navigate to the map function under DNA Relatives and make your modification there.
Conclusion
Right now, I’m far more concerned about keeping you safe than 23andMe’s investigation. That’s analogous to figuring out who opened the barn door after half the herd is gone. Yes, it needs to be done and the issue addressed, but their investigation won’t help you right now.
The exposure may NOT be half of their database. It may NOT include you. Please assume it does and protect yourself.
Please change your password and consider implementing two-factor authentication. I recommend removing your location information.
Also, don’t reuse passwords. Here’s a great article about password safety.
I surely hope 23andMe is partnering with legal and security resources and has engaged an expert firm for compromise assessment.
In essence, the hacker was using our DNA information as a lever to attempt to force 23andMe to announce a breach. It’s unclear what their motivation is, but based on reports from multiple people who have seen these files, the threat is credible, as confirmed by 23andMe today. I’m not sure if the hackers really want to sell our data to bad actors on the dark web or already have, or if they want to extort money, essentially ransom, out of 23andMe, or what.
23andMe is a victim here, too, because the leaked information seems to be due to compromised user passwords that did NOT occur on their system. This has generated a lot of speculation about the motivation of the hacker.
Regardless, that doesn’t change the fact that the hacker has a huge amount of data, and it’s out of our control. I don’t know how to or if you will ever know if your data is included. I don’t know how 23andMe would be able to ascertain whose accounts are involved since the accounts were all signed into legitimately using the correct email and password.
While I realize that this situation is at least partly due to customers reusing passwords, that does not justify or rationalize the delay by 23andMe in taking the issue seriously, wasting valuable time, and allowing the hacker to gather more information. Nor does it excuse the second security issue, although that seems to be less serious.
I feel bad for any company targeted like this, while I’m also furious with 23andMe about their arrogance and cavalier attitude, resulting in unnecessary delay. Right now, as a customer, I’m not interested in playing the blame game or debating semantics about which type of compromise this is. It’s bad, regardless.
The hacker has attacked 23andMe AND their customers, you and me, but this could have been any company. The ONLY way to preclude this as a customer in a digital world is to maintain password security and use unique, complex passwords – on every account.
Hopefully, we will know more soon. In the meantime, change your password and lock down your account so that no one else has access.
Please share this article with genealogy organizations or anyone you know who has tested with 23andMe so they can protect themselves.
______________________________________________________________
Sign Up Now – It’s Free!
If you appreciate this article, subscribe to DNAeXplain for free to automatically receive new articles by email weekly.
Here’s the link. Look for the black “follow” button on the right-hand side of your computer screen below the black title bar, enter your e-mail address, click “Follow,” and you’re good to go!
Washington Post article: https://www.washingtonpost.com/technology/2023/10/06/23andme-hacked-data
Forbes article: https://www.forbes.com/sites/antoniopequenoiv/2023/10/06/23andme-user-data-stolen-and-listed-for-sale-in-attack-targeting-ashkenazi-jews/?sh=2d3c48f35be1
23andMe statement: https://blog.23andme.com/articles/addressing-data-security-concerns
Every DNA website can be accessed with email address/password combinations that have been “hacked”. This isn’t unique to 23andMe, it’s the same for Ancestry.com / MyHeritage / FTDNA and so on. GEDmatch had a data breach and using the email addresses taken from there with a DNA testing website like 23andMe (or any of the others) will give people access.
The problem is that people don’t keep separate passwords for every website/app as it’s best practice. Also, free apps like Bitwarden provide you with safe & central repository to store your complicated passwords, if you don’t want to store them in your Google or Apple account (both operating systems have a feature to suggest safe & complicated passwords per website).
Also, when trying to download the raw DNA data or even the DNA matches list at 23andMe, the user will be notified via email. So if you get such an email even though you didn’t request this action, then your account was taken over by someone else.
But all of this isn’t a data breach, it’s the enduser’s fault for not following best practice. So please folks, make sure you use complicated passwords for each website/app and store them in a safe place.
Disclaimer: I’m not affiliate with Bitwarden but a happy, long-time user, hence I recommend the app. There are similar apps like Bitwarden like Lastpass or 1password but most of them are paid apps. See https://www.theverge.com/22285499/password-manager-lastpass-free-bitwarden-zoho for an overview.
Thanks to Roberta for alerting us to this. I was not aware.
I have also used bitwarden for about a year and I am very pleased with it. Managing ever-changing and complex passwords is a daunting task. Bitwarden takes some effort to set up, but has been well worth it for me.
Thank you.
Absolutely agree. I do not in the least fault 23andMe in this, but recognize that the responsibility lies with all of us to use strong, unique passwords, and guard them appropriately.
If, in fact, this was intended to damage 23andMe, it’s not working with me. I’ll still be paying, gladly, for Premium access next year.
Apple also has an excellent feature built right into their OS. Go to “Settings” and then “Passwords” and you will see “Security Recommendations”. Amongst those recommendations is an option to turn on “Detect Compromised Passwords” and a list of websites where your password has been used and appeared in data leaks.
Go through this list now and reduce your risk of exposure by changing passwords for those respective apps/websites.
See https://support.apple.com/en-sg/guide/iphone/iphd5d8daf4f/ios
Thank you, Roberta. I have broken my own rule to open the computer after 8pm to make these changes. This is very helpful.
On your second issue, the profile ID is a 64-bit number, which means being able to randomly guess even one will be out is the question – only one out of trillions will be valid. (assuming they were randomly generated in the first place).
Add the fact that 23 and Me heavily throttle web requests makes that slow even when you have a hacked login and already know the profile IDs.
Just try to open up 10 tabs in quick succession with different relatives’ profiles and you’ll discover you’ve been logged out.
I guess that hacking 50 accounts will give you maybe 100,000 relatives just by using the download button. This would be much more efficient than following lots of profile pages. But anybody wishing to identify 99,950 of them will have a hard time.
I find it implausible that they have millions of customers’ information by this method. Either the hackers are overstating their collection for marketing purposes or there has been some other breach.
13 million “pieces of information” would be easily consistent with 100,000 customers.
And that’s the number they were reportedly offering to sell for 100K.
And if that is all the purchaser was getting for $1 per number then they’d be mighty upset and would likely “send somebody around” to get their money back. My reading is that a purchase will give you everything that could be found for that person from a match via the viewpoint of a DNA relative
The sad part is, I dont think it will scare enough people into fixing their weak reused passwords, although it will probably cause more people to turn off dna result sharing.
I’ve tried to change my password: the website won’t let me.
Does anyone else have this problem?
Thanks.
You may have to contact 23andMe for assistance. Yes, someone else has reported this issue too.
Hi Roberta/Judith,
Many thanks for the warning.
I am unable to sign in to 23 and Me using a stored Password on my computer, I am sure I did not change it.
Just in case I have, I requested to set up a new password and was told a link would be sent to my email address, and I should use it within one hour, but nothing so far?
I have tried three times?
Any suggestions?
Charlie.
Check your spam filter for the email. Otherwise you may need to contact them.
Many thanks Roberta, checked spam, nothing so sent them a message.
What if you use Google to sign in to your 23andMe account? Looking at Google, it says “When you use Sign in with Google to sign in to your 23andMe account, you’re sharing some sensitive info with 23andMe.”
I don’t know because I never sign in to any site through third party sites. I would presume you still need to change your password.
I wish 23andMe did not use an email address for the username. That seems to be a potential security vulnerability on their part, and certainly appears to have been used in this case. If I could, I would change mine. Luckily for me, the email address I used for my username (when I signed up for 23andMe many years ago now) is not one I’ve used at any site elsewhere.
Last night, after seeing this 23andMe hacking story on the Washington Post, I changed my password. I’m also looking at using the 2-factor verification, but haven’t done that as yet. I hope changing my password wasn’t a case of closing the barn door after the horses got out, though!
Be aware that if you changed your password on or around 7 October (as I did also), you’ll have to change it AGAIN when you get the email from 23andMe about your account being potentially compromised.
Roberta, thank you so much for your timely warning. Halfway through a DNA genealogy group meeting somebody’s phone alert went off and it was your blog post. We were able to pass it on immediately to people in the meeting as well as those who sent their apologies.
Family history has provided me with some help in establishing unique passwords. Places that exist no longer, names now rare and words in now extinct languages can be combined into something (with a little tweaking) that is accepted as high security and is also something I can remember.
In a couple of the news articles it said that 2 main ethnic files were compromised, the Ashkenazi Jewish and the Chinese. Change your passwords asap!!!
A class action suit has been filed. https://www.classaction.org/blog/23andme-data-breach-lawsuit-says-victims-info-is-already-for-sale-on-the-black-market
You cannot find relatives in common on 23andMe for now.
“Update: October 20, 2023 9:35 PM PST
As part of the ongoing security investigation, we have temporarily disabled some features within the DNA Relatives tool as an additional precaution to protect the privacy of our customers.”
Or download matches either. Somehow I doubt this is temporary.
You also cannot see chromosomes you have in common or use Advanced DNA Comparison. Including Relatives in Common, these were all tools which made 23andMe stand out. I will be very disappointed if these are not reinstated eventually.
It renders 23andMe utterly useless. I don’t give a hoot about shared traits w/ my parents, lol (which, BTW, are often opposite of what Ancestry says, e.g. alcohol flushing. But that’s for another rant another day.) This issue might explain why when I tried to update my new password on Genetic Affairs for my 23andMe account, i got a 500 server error. (Sigh.) They won’t be able to pull any data either. Thanks for keeping us updated, Roberta.
So that’s interesting. Did you get an email suggesting your account may have been one that was compromised? My wife and I just got emails saying specifically we were shared relatives of a compromised account, which sounds different.
Can you confirm whether the “reused password” theory might be right for your case, or whether another possibility is that Genetic Affairs was compromised.
Sorry if this ends up being a duplicate, but it behaved differently this time I tried to post.
Cathmary, I note that you said that 23andMe said your account was potentially compromised. My wife and I have just received emails and they were quite specific that we were dna-relatives of a compromised account, which sounds different.
Can you confirm if the “reused password” is a possibility in your case? I ask because you said Genetic Affairs had your password, so a breach of their systems could have given them a more direct route to working passwords, no matter how complex.
Pingback: The 23andMe Data Exposure – New Info, Considerations and A Pause Strategy | DNAeXplained – Genetic Genealogy
Hi Roberta, I have sign in issues into my 23andme acount since this hacker stuff happened. If I try to sign in with Google, I do get access, but no option to change my password. If I sign in the regular (old) way, I don´t recive any e-mail from 23andme to continue to change my password. I´m using a pc, not mobile phone. I´ve been asking the 23andme customer service but all I get is this “Adding 2-Step Verification” and “Scan the QR code into your preferred authenticator app.” Doesn’t help much. Like I said, I don´t use a mobil phone for my 23andme. What QR code??? I´m lost. Thanks for any help.
Claus
Call them. Or email. I’m sorry this is so difficult.
Pingback: 23andMe: DNA Relatives, Connections, Event History Report and Other Security Tools | DNAeXplained – Genetic Genealogy