Call it what you may – a hacking attack, a breach, loophole, compromise, it doesn’t matter – there’s an issue at 23andMe, allegedly compromising the data of 7 million+ accounts – and you need to take action now.
I’m telling you what you need to do and why, then providing additional information. I’m presenting this weekend and very deadlined on other work as well, so this article is short and not-so-sweet.
- Change your password at 23andMe TO A COMPLEX PASSWORD NOT USED ANYPLACE ELSE.
- Consider enabling 2-factor authentication at 23andMe.
This issue has been reported to 23andMe by several people. This issue seems to have existed for several weeks, but those details don’t really matter right now.
While on October 3rd, 23andMe initially said that they “conducted an investigation” and “had not identified any unauthorized access” to their system, their press statement today was different, as reported at Wired.
What changed in the past couple of days is that this compromise became more widely known on various sites and servers, making its way into the media.
This detailed user information is for sale on the dark web. Jewish people may have been targeted, but a lot is unknown.
I have not seen these amalgamated breached files myself, but I worked with a security person who has to verify this information. That was today, and when we finished, this had blown up publicly today.
Briefly – What Has Happened?
Hackers have compiled information from multiple data breaches over time from companies across the web. That’s been going on for a long time.
Hackers have been using that information to sign into accounts at 23andMe.
Here’s how that works.
23andMe uses your email as the first step of signing on, then a password. If you use the same password at lots of places, and hackers compile breach information, they will know that the password “Fluffy” is associated with your email address, and they found it six different times in various data breaches.
So, they went to 23andMe and attempted to sign in with your email. Next, they tried “Fluffy” as your password, and voila, they were in – as you. Now the hacker has access to your profile information, not through any negligence at 23andMe, but because of data breaches elsewhere combined with an insecure and non-unique password.
Hackers then have access to DNA Relatives, shared matches, ethnicity, traits, and medical information. Furthermore, they can view the information of your matches who have opted to share their health information with you. Remember, the hacker is now operating as “you.”
Passwords
Many people reuse passwords at different sites because they are easy to remember.
DON’T REUSE PASSWORDS. Ever. Make them unique, hard or impossible to guess, and certainly not Fluffy or any other word that can be associated with you via social media. Also, never, ever answer those social media “fun” questions because you are unnecessarily giving information away publicly. Bad actors aggregate that information too.
You need to take remediation action immediately to secure your account.
Go to Settings under your initials in the upper right-hand corner of your account page.
Accounts You Manage
This also means that if you manage other people’s DNA kits within your own account, their accounts have been compromised through yours (if your account has been compromised), including any medical information.
Articles
Here are articles published within the past 24 hours for your review. Unfortunately, PC Magazine published a thread from X (formerly Twitter) where someone used a screenshot from my blog (without permission) which is part of how I got dragged into this and why I got notified.
- https://www.pcmag.com/news/23andme-warns-of-hacker-breaking-into-user-accounts
- https://cyberscoop.com/23andme-user-data-theft
- https://www.bleepingcomputer.com/news/security/genetics-firm-23andme-says-user-data-stolen-in-credential-stuffing-attack/
This thread was posted on Twitter two days ago. This data “leak” had been reported before that to 23andMe and may have existed since August.
The dark box is the hacker saying that if 23andMe does not announce a data breach within 24 hours, they will start sharing the user data. I’m not posting the threat here, but you can view it on X (former Twitter.)
23andMe gave their standard canned reply.
Then I inadvertently got dragged into this mess because, next, someone grabbed a screenshot from one of my blog articles from 2019, which exposed my name – then PC magazine published a screenshot of their posting.
In that article, I was writing about a 2019 relationship between 23andMe and FamilySearch, hence the arrow. I believe that the Twitter poster grabbed the image as an example of the 23andMe DNA Relatives user interface, but it was an unfortunate choice. They should have used their own, not scalped mine.
We really have no idea what may be discovered as this situation evolves, but at this point, 23andMe has stated that they are investigating.
The Second Issue
It appears there’s a second issue, too. The person who notified me of the original issue also told me that signing on to your own account, then replacing your profile ID with someone else’s profile ID displays their name and at least some of their information.
I’ve blurred my profile ID in the above string.
They had personally reported this to 23andMe, including emailing the CEO personally, and received the same boilerplate message as reported by others. Here’s a quote:
“Hi [xxx- name redacted] – Following a claim that someone had gained access to and is selling certain 23andMe customer data, we conducted an investigation. We have not identified any unauthorized access to our systems. We will continue to monitor the situation.”
I tried this with my matches’ IDs and could see their information, but of course I should be able to access my matches’ profiles, so I didn’t find this disturbing. I tried this with people I had invited to connect with that I don’t match, and I could see those as well. That too is expected. Although, I must admit that I was rather startled to be able to access it that way.
I tried randomly replacing digits and characters in my own profile ID and that didn’t work. But then again, there’s no way to know if the number I created was actually a valid profile ID.
Then, I signed on to an account of someone whose account I manage completely separately from my account and copied the profile ID of a second account I manage separately from my account. Those two people don’t know each other and are not related.
I could see the identity of the person whose profile ID I copied into the string, replacing the profile ID of the account I was signed into.
I saw the information below.
I’ve blurred the person’s name, initials in the purple circle, and their “about” information. However, notice that their current location is also exposed, along with their full name.
The good news is that I can’t see anything else. However, I shouldn’t be able to see this much.
I don’t think I could have done this:
- Without first being signed into a valid account AND
- Without knowing the profile identification, which I don’t think I could have found unless the person gave it to me, or unless it’s in the hacked information, which I understand that it is. However, if the hacked information includes the profile ID, that means the hackers are already into that account, so they don’t need to do this.
To be on the safe side, I’m removing “about” information other than ancestral surnames in my account and the accounts I manage.
I have never been comfortable with my current location being shown to anyone, including matches.
If you want to remove your location information, navigate to the map function under DNA Relatives and make your modification there.
Conclusion
Right now, I’m far more concerned about keeping you safe than 23andMe’s investigation. That’s analogous to figuring out who opened the barn door after half the herd is gone. Yes, it needs to be done and the issue addressed, but their investigation won’t help you right now.
The exposure may NOT be half of their database. It may NOT include you. Please assume it does and protect yourself.
Please change your password and consider implementing two-factor authentication. I recommend removing your location information.
Also, don’t reuse passwords. Here’s a great article about password safety.
I surely hope 23andMe is partnering with legal and security resources and has engaged an expert firm for compromise assessment.
In essence, the hacker was using our DNA information as a lever to attempt to force 23andMe to announce a breach. It’s unclear what their motivation is, but based on reports from multiple people who have seen these files, the threat is credible, as confirmed by 23andMe today. I’m not sure if the hackers really want to sell our data to bad actors on the dark web or already have, or if they want to extort money, essentially ransom, out of 23andMe, or what.
23andMe is a victim here, too, because the leaked information seems to be due to compromised user passwords that did NOT occur on their system. This has generated a lot of speculation about the motivation of the hacker.
Regardless, that doesn’t change the fact that the hacker has a huge amount of data, and it’s out of our control. I don’t know how to or if you will ever know if your data is included. I don’t know how 23andMe would be able to ascertain whose accounts are involved since the accounts were all signed into legitimately using the correct email and password.
While I realize that this situation is at least partly due to customers reusing passwords, that does not justify or rationalize the delay by 23andMe in taking the issue seriously, wasting valuable time, and allowing the hacker to gather more information. Nor does it excuse the second security issue, although that seems to be less serious.
I feel bad for any company targeted like this, while I’m also furious with 23andMe about their arrogance and cavalier attitude, resulting in unnecessary delay. Right now, as a customer, I’m not interested in playing the blame game or debating semantics about which type of compromise this is. It’s bad, regardless.
The hacker has attacked 23andMe AND their customers, you and me, but this could have been any company. The ONLY way to preclude this as a customer in a digital world is to maintain password security and use unique, complex passwords – on every account.
Hopefully, we will know more soon. In the meantime, change your password and lock down your account so that no one else has access.
Please share this article with genealogy organizations or anyone you know who has tested with 23andMe so they can protect themselves.
______________________________________________________________
Sign Up Now – It’s Free!
If you appreciate this article, subscribe to DNAeXplain for free to automatically receive new articles by email weekly.
Here’s the link. Look for the black “follow” button on the right-hand side of your computer screen below the black title bar, enter your e-mail address, click “Follow,” and you’re good to go!