As most of you know, 23andMe has been suffering the effects of what appears to be a significant data compromise, meaning many of their customers’ information has been compromised or exposed.
Here’s the latest news indicating that information from millions more accounts has been offered on the dark web, along with 23andMe’s latest update, here.
I’ve been trying to keep up with the changes, and I must tell you, the hacker’s quotes in that Cybernews article chill me to the bone.
Furthermore, the depth of this issue is still unfolding, with a report of an earlier August breach.
What Has Happened
Essentially, due to users who have reused and recycled passwords, a bad actor was able to sign on to many customer’s accounts, directly, acting “as” the customer, which allowed them to:
- View (or change) personal information
- View matches’ information
- View matches in common
- View triangulation information
- View how your matches also match each other
- View health information if you and your match have agreed to share at that level
- View ethnicity, shared ethnicity, and ethnicity chromosome painting
- View the family tree provided by 23andMe that provides an estimated reconstruction of your matches to you and each other to ancestors several generations into the past
- View your profile information
- Download your matches
- Download your raw data file
Anything you can do or see, they could do or see because they were signed on as “you.”
That’s a lot, and I’m sure that 23andMe is struggling with how to keep their customers safe, especially since this data compromise was reportedly not due to a breach or “break-in” of their system or site, but due to social engineering failures. It’s also difficult to sort the truth from the rest.
Right now, things are moving so fast on this front that every time I have an article ready to publish, something else changes. I’m going to share what I do know, and what you can do.
Some Users Have Been Notified
I know of at least two people who have been notified by 23andMe that their data was exposed in the compromise, receiving the same email. The communication was nonspecific, partially extracted as follows.
After further review, we have identified your DNA Relatives profile as one that was impacted in this incident. Specifically, there was unauthorized access to one or more 23andMe accounts that were connected to you through DNA Relatives. As a result, the DNA Relatives profile information you provided in this feature was exposed to the threat actor.
Based on our investigation so far, we believe only your DNA Relatives profile attributes were exposed.
They did not say, nor do I know how 23andMe identified those customers.
This only applies to people whose information was partially exposed as a match to a compromised account. I don’t know if they have identified the compromised accounts and are notifying those people, too.
Given the reported magnitude of this exposure, I wonder why only two people have mentioned being informed. None of my accounts have been informed, nor those of family members.
Using Email as a User ID
Using an email address as half of your user ID essentially gives that piece of the puzzle away.
It makes users particularly vulnerable because bad actors only have to obtain the second half – a password. That’s a lot easier than you’d think.
If nothing else, this 23andMe incident illustrates just how many people engage in unsafe security practices.
Not all vendors utilize email as part of your user id, and those that do often utilize other safety practices, including but not limited to two-factor authentication (2FA.)
Forced Password Reset
Several days ago, 23andMe forced their customers to reset their passwords before signing in. Of course, by that time, millions of cows had already left the proverbial barn. Still, that was certainly the responsible thing for 23andMe to do, preventing additional damage, assuming their customers didn’t reuse yet another password.
I finally managed to reset my password, although that was anything but easy. In order to do a password reset, the standard procedure and the one 23andMe follows, is to send a reset link or key to your email address on file. However, if you changed your email, or it has been “blacklisted” because your carrier was down at some point when 23andMe tried to communicate with you, or the reset email wasn’t received for some other reason, you have to contact support to obtain assistance. Needless to say, 23andMe support is overwhelmed at this point.
23andMe has provided a Privacy and Security page, with suggestions, here.
Two-Factor Authentication
23andMe has NOT required their customers to implement two-factor authentication, known as 2FA.
They DO provide an option to enable 2FA, and I recommend that you do so. Generally, this means that every time you sign in, as part of that process, after entering your password, 23andMe will text a code to your phone or email one to you, or you can utilize a third-party authenticator application. Essentially, this adds a a third step that communicates with you through some methodology that you control, in addition to your username and password. Yes, 2FA can be a pain, but it works. You’ll find information, here.
The Relatives in Common Change Before the Compromise
I was writing about this change when all Hades broke loose with this data compromise.
A week or two prior to the compromise, 23andMe made what may have appeared to them to be “cosmetic” changes, but to genealogists, 23andMe made genealogy and triangulation much more tedious and difficult. Certainly not impossible, just requiring several steps instead of one.
Previously, Relatives in Common under DNA Overlap said “yes” or “no.” Yes meant that me, a match (Tim), and a third person (Tony) triangulated. No meant we all matched each other but no triangulation.
The 23andMe change replaced yes and no with “Compare.” That meant that customers were required to complete the following steps to get to “yes” or “no.”
- You compared to person A (Tim)
- You compared to person B (Tony)
- Person A compared to person B (Tim to Tony)
It went from easy to painful, and now, since the compromise, it’s gone altogether.
Before I move on to what else has changed, I want to comment on the original change. I don’t think it’s connected to the current exposure situation, but I have no insider knowledge.
Given my background in technology, creating a permanent yes/no link means storing the relationships of each DNA segment to your matches, which quickly become a HUGE three-dimensional matrix. Storage requirements would be substantial. If you only compare three people when requested, those storage requirements disappear. Storage = $$$, and 23andMe has been struggling financially for some time.
23andMe stock is down 62% year to date, 72% since this time last year, and 92% over five years.
Based on this data, my assumption was that 23andMe was trying to save money, shaving anything anywhere it could. Genealogists were hoping to convince 23andMe to reverse their decision, but now it’s a moot point because DNA Relatives is gone altogether, at least for now, and 23andMe has much, much larger fish to fry.
23andMe Update
23andMe provided an update on their blog about changes they’ve made related to DNA Relatives, here.
However, DNA Relatives is ONLY HALF THE PROBLEM. 23andMe did not address the rest.
- A Direct Compromise – Your data was very clearly compromised IF YOUR ACCOUNT WAS DIRECTLY COMPROMISED. This means the situation where the bad actor was able to sign on to your account as you because your email and password were found in other data breaches. If you’ve ever reused a password, you have no way of knowing if your account was compromised and you must assume it was.
- Compromise Through DNA Relatives Matching – Your DNA Relatives information, as described in this 23andMe link may have been compromised, meaning revealed if ANY OF YOUR MATCHES’ ACCOUNTS WERE COMPROMISED. In other words, your information shown to a match was exposed if any of your 1500 (non-subscriber) or 4500 (subscriber only) matches had their account directly compromised – meaning signed into because they reused a password. Less of your data was compromised than in a direct exposure, but some of it very clearly would have been exposed in this scenario.
The link 23andMe provided only addresses what can be viewed through DNA Relatives. They did not mention health information if you and any specific match have authorized that level of sharing. I have not.
That’s not all, either.
If Your Account Was Directly Compromised, Your RAW DNA File Could Have Been Downloaded
If YOUR account has been signed into, the bad actor is functioning as you, and they can download your raw DNA file, which means they could upload it elsewhere. The hacker mentioned that specifically.
You do have to request a download at 23andMe. A notification is sent to your email when the download is ready, BUT, you don’t actually need that email to retrieve your download. If you simply sign out and back in again, and return to the download function, a notification awaits you that your download is now ready. Just click to download.
If your email address used at 23andMe is functioning correctly, you would have received a notification that you had requested a DNA file download. If you received a notification like this in the past few days/weeks/months, and you did NOT request a download, please inform 23andMe immediately. This could be one way that 23andMe might be able to determine whose accounts were directly compromised, and therefore whose accounts were indirectly compromised using DNA Relatives.
In my case, I was not receiving email notifications from 23andMe because my account had been blacklisted due to carrier issues, so I would never have received that email.
If your account was one that was compromised, your file may have already been downloaded. Check your inbox and spam folder to see if you have any notifications from 23andMe that escaped your notice.
It Could Still Be Happening
23andMe can only do so much.
They can force users to select a new password, but they can’t prevent people from reusing a different password, which means that the bad actor could still be trying to sign on to accounts – and getting into some.
Genealogy, including DNA is a team sport. We have to depend on our matches.
23andMe could force everyone to use 2FA, but so far they have not opted to do that, probably because it would be very unpopular.
Additional Changes
The following DNA Relatives features have either been temporarily or permanently disabled or removed:
- Download matches (which included matching segments) is no longer available
- Relatives in common (three-way matching) is disabled entirely, so there are no shared matches or shared segments
- Viewing how your matches match each other is gone
- The chromosome browser is gone
However, other tools such as the family tree which shows relationships and health sharing are still available.
At 23andMe, What Can You Do?
Truthfully, I’ve been a hair’s breadth from deleting all of my tests at 23andMe for days. I manage two tests of my own and other relatives’ too.
23andMe has never been committed to genealogy and was always the least useful site for me. Having said that, I have had some close and very useful matches there that aren’t elsewhere.
I’m certainly never testing there again, but I really don’t want to give up on 23andMe altogether, at least not yet. I’ve already paid for several tests, and I would lose valuable information today, and the potential of the same in the future.
We can’t undo any damage that has already been done. That ship has sailed. However, we can take steps to protect ourselves, both today and tomorrow. In other words, we have options other than deleting our tests.
I’ve decided to pause, at least for now.
The Pause Strategy
Only you can protect yourself by selecting a unique, strong password. Not just at 23andMe, but every site you use on the internet for any purpose.
Until and unless 23andMe requires 2FA, you need to decide on a strategy to protect yourself from other people’s negligence.
You don’t have to permanently delete your tests. Instead, you can disable DNA Relatives, which means matching.
I’ve opted-out of DNA Relatives while waiting to see what happens as 23andMe works through this quagmire. That means that I’m not participating directly in matching anymore. I’ve also opted all of the tests I manage out as well. I can always opt back in when this problem is resolved, if that ever happens.
Opting-Out of DNA Relatives
Here’s how to opt-out.
Under the Ancestry tab, select DNA Relatives.
Click on Edit profile.
Scroll all the way to the very bottom.
At the bottom, click on “I would like to stop participating in DNA Relatives.
I clicked on “Finish,” then verified that this profile is not shown as a match.
My profile prior to disabling DNA Relatives looked like this:
These same fields after disabling DNA Relatives.
Unfortunately, it does not appear that you can disable Connections broadly.
Apparently, you need to disable Connections one by one. I know that Connections can still see you, but they can’t see everything. You can find instructions here.
What I’d really like is an “invisibility” function that simply stops all sharing by making me invisible until I want to be visible again, without deleting my accounts. I’m more than a little irritated that connections remained, other than within the accounts I actually manage.
I still have not decided if I will eventually retain or delete my accounts, but disabling DNA Relatives helps somewhat and buys me some pause time while I make a final decision about 23andMe.
Your decision may not be as difficult. In addition to my genealogy research, I depend on my accounts at the various vendors for instructional articles for my blog.
Minimum Two Steps
No matter what else you do, implement the following NOW:
- Use a unique, difficult-to-guess, strong password at every vendor. Here and here are some ideas and guidelines for strong passwords.
- Turn on 2-factor authentication.
- If you did not previously use a unique password at 23andMe, presume your data was compromised.
- If you have to assume your data was compromised, be hyper-vigilant of anything unusual or strange.
- Check to see if your email address associated with 23andme received a DNA file download request that you did not initiate, and if so, notify 23andMe immediately at customercare@23andme.com or 1-800-239-5230.
Other Companies
Other DNA testing companies are taking precautions and reviewing safeguards. Some have or may disable some features as they move through the process. Don’t be angry if a feature you depend on is gone for now.
The situation is changing very rapidly. I don’t know if the changes at the vendors, including 23andMe, will be permanent, and the companies probably don’t yet either.
Right now, overall, patience is the word as this mess sorts itself out – but while being patient, be sure to review your own safeguards and follow safe online practices.
_____________________________________________________________
Follow DNAexplain on Facebook, here.
Share the Love!
You’re always welcome to forward articles or links to friends and share on social media.
If you haven’t already subscribed (it’s free,) you can receive an email whenever I publish by clicking the “follow” button on the main blog page, here.
You Can Help Keep This Blog Free
I receive a small contribution when you click on some of the links to vendors in my articles. This does NOT increase the price you pay but helps me to keep the lights on and this informational blog free for everyone. Please click on the links in the articles or to the vendors below if you are purchasing products or DNA testing.
Thank you so much.
DNA Purchases and Free Uploads
- FamilyTreeDNA – Y, mitochondrial and autosomal DNA testing
- MyHeritage DNA – Autosomal DNA test
- MyHeritage FREE DNA file upload – Upload your DNA file from other vendors free
- AncestryDNA – Autosomal DNA test
- AncestryDNA Plus Traits
Genealogy Products and Services
- MyHeritage FREE Tree Builder – Genealogy software for your computer
- MyHeritage Subscription with Free Trial
- Legacy Family Tree Webinars – Genealogy and DNA classes, subscription-based, some free
- Legacy Family Tree Software – Genealogy software for your computer
- Newspapers.com – Search newspapers for your ancestors
- NewspaperArchive – Search different newspapers for your ancestors
My Book
- DNA for Native American Genealogy – by Roberta Estes, for those ordering the e-book from anyplace, or paperback within the United States
- DNA for Native American Genealogy – for those ordering the paperback outside the US
Genealogy Books
- Genealogical.com – Lots of wonderful genealogy research books
- American Ancestors – Wonderful selection of genealogy books
Genealogy Research
- Legacy Tree Genealogists – Professional genealogy research
I got that 23andMe email today, that you mentioned. My account and the family ones had unique passwords -not used on any other site. So my best guess it someone of the 1500 matches account did not. I never had a photo there. Today I removed the city where I live and only left Minnesota and also removed the link to my Ancestry tree. Patricia
I received that email from 23andme notifying me that my DNA Relatives data had been compromised. I changed my password and my location to USA. Even more disturbingly, 23andme thinks the hacker was targeting Jewish people. My ethnicity is Jewish.
Roberta, I received an email from them today indicating that my account had been one that was compromised. I already changed my email address about a week ago, but I see that is not enough. Thank you for your very helpful post. This really is disconcerting.
I got the 23andMe email last week. My password was only used at 23andMe and it has been changed.
My wife tried to change her password but has not received the reset email after trying 3 days. She called them, they wouldn’t talk to me about her account. I chatted and emailed support. Still no reset email!
C
ount me as one who rec’vd the 23me notice about 40min before your blog msg came thru. Phrasing was exactly as your first example. The acct. is for my long deceased Dad but because he was an adoptee, to facilitate matches contact, about a year or so ago I enhanced his “profile” with extensive background info that certainly could be used for ID theft and possible even lead back to me?
Not a happy thought but it is what it is.
I had already changed PW after prior notice but didn’t do 2nd auth. so am working on that aspect now……………….
Thanks Roberta:
I got one of those impacted account e-mail. I cleaned-up my account like you suggested and removed my picture, but I feel like this is too late. It’s like buying a security system after a burglary, the jewels of the crown are already gone…
I had already changed my password the week before when they asked to change again. I ran into problems setting up the 2factor system, yet I do it on several other accounts without a problem.
I feel the instructions on how to do it should be up-front on their website, not buried under 5 menus.
But – guess what, the party is over!
Thankfully I had transferred my raw data to FT-DNA. I am very tempted to delete my 23andMe account altogether…
I am too. My husband and I were just sitting here discussing exactly that.
I hope they get this entity called “Golem”. I guess the damage has been done though. I’m confused about references to people of German descent (that’s me… most will be in the USA I’d guess.) I had read in other media recently that people of Jewish descent (me too) were somehow an initial focus… and then Chinese descent. The whole thing creeps me out.
I also received an email today from 23andMe. For now, I have given up on trying to set up 2FA. It wasn’t working for me. I did have a rather obscure password…. but changed it anyway to another obscure password. Thanks for shedding some light on this.
I’m another person to add to this list of users notified by 23andMe today that my account was part of the breach. Fortunately, I had limited my personal information at 23andMe to only that which they required.
My password was also unique to 23andMe. Admittedly though, I use a core string of characters as the base of all my passwords but add unique character strings, including symbols and numbers when allowed, as the remainder of my passwords.
So many websites *require* you to use your email address as the login ID. I don’t know how we get around that. Have a separate email address for every website?
I checked my email address today at https://haveibeenpwned.com/ and was informed that it was involved in 1 data breach. (I don’t subscribe so I don’t know who was the breach. I’ve got a pretty good idea though.) Previously my email address was clean.
Yea, that’s a big hint as to “who.”
Thank
I have done everything you suggested in this post, plus deleted anything I had in regards to personal information. TKU. I never received anything , probably because a few years ago I downloaded my raw dna and then uploaded it to FTDNA , My Heritage etc and then deleted it from 23 and Me. Then took the DNA tests from FTDNA and MyHeritage.
I tried to comment on this but unfortunately I could not. I had to go and ask to follow you again, then sign in to WordPress and bingo now it works. While on WordPress I added a 2FA .
It used to be so easy ….. but not now.
I just received an email that one of my profiles was compromised. My initial instinct was just as you said – to delete my data. However I decided that was letting the bad-actors win. So I have implemented 2 step authentication and will continue to wait and watch. I think something like this was inevitable but hopefully the other companies will learn from this.
I also gave up after trying to set up the two-factor authorization.
I just got the e-mail, too. No surprise; I’d assumed that most of us would have some matches who re-use passwords.
I’ve decided not to delete my account, because that’s what “Golem” wants us to do, per an Oct. 17 post to his/their favorite hacker’s forum. Phooey on him/them – I’ll hang in there, at least for awhile!
Ironically I had created a unique password AND email address strictly for 23andme. To this day it has nothing on it but communications from 23andme. I changed the password at the beginning of summer. And then again a couple weeks ago. I got the email from 23andme while I was reading this. Reasonably sure everyone will get it. I am actually really depressed about this. I just recently got my cousin to join. I am afraid all the other genealogy sites are going to shut down the sharing. I have accomplished so much. I never shared any medical info with anyone I didn’t know face to face. I was getting invites from distant cousins wanting to share medical info and I never would. My deceased Mom’s dna is here. I never got her on Ancestrydna. Seems like I remember Ancestrydna doing two factor authentication any time I cleared cookies but I haven’t seen that in a long time. I’m really sad.
Be sure to download your Mom’s raw DNA file so you can use it elsewhere, and be sure you have it backed up.
Thank you. I too received THE EMAIL. This is a much better explanation (professional and easily processed) than any communication from 23andme. Ditto on 2 factor identification; although I still cannot navigate the offering by 23and me on that subject.
I am kinda surprised that 23andme did not, in the past, trigger 2FA with a change on the consumer side. I was getting them with AncestryDNA for a number of years IF I changed computers, internet or cleared cookies. Does this mean that my streaming platforms also have better security than 23andme? I don’t know. But if they don’t have this capability then they probably should make 2FA permanent. I hope this does not start a chain reaction with other DNA sites. They have some culpability here I think. I don’t know.
This does surprise me. I remember in the past the 23andme website was determined to be among the type 5 of websites that were secure.
I received the email that I am one of those on the list. I also tried the reset route, but no email came to my account!!!!!
Seems like MyHeritage too disabled the chrom browser for now… understandable but unfortunate, that makes them basically useless for my research. Wonder if this is the beginning of the end for our hobby.
I know they have paused it for now. They have suffered the loss of employees due to the war, including deaths. Between that and the 23andMe breach? I’m sure they have their hands full and will hopefully restore that functionality when things calm down. You can still paint your segments at DNAPainter and triangulate that way.
Thank you again for helping us navigate… albeit this time is sad news for genetic genealogists.
I had been using chromosome data a lot for sorting matches and making some progress on unknown ancestors. And only just yesterday got the MyHeritage’s processing results for another person whose raw data I had uploaded from FTDNA during their recent ‘free tools’ offer.
My question is regarding your reply about MyHeritage. You wrote,”You can still paint your segments at DNAPainter and triangulate that way.”
I do mapping at DNAPainter and have done many before from MyHeritage but I’m having trouble tonight seeing on MyHeritage where to find a match’s DNA segment data at all…
Am I just missing where to find that data, to ‘paint’ it or simply to compare to with my DNAPainter map, or is that suddenly completely unavailable now, too?
This is feeling pretty discouraging right now.
But your help is a bright spot in the seeming chaos.
Thanks for being such a good teacher.
I don’t know. When I checked two days ago it was still there but literally things are changing by the hour.
Thank you Roberta for your valuable advice about the data leak at 23andMe. I myself am logged in there via my Google Accoumt. Is this access also insecure?
With best regards
Wilfried
Yes and they said you have to change it through Google. I have no idea how. I’m sorry.
I really enjoyed looking at the ethnicities and genetic groups of my weekly match lists on MyHeritage, but that feature has been disabled. This, it’s no longer so interesting. It’s especially useful to see that info for the top matches. I also no longer see the top ethnicities of my matches.
I received the second letter. I had a strong unique password in the first place, but did the reset as required to a new unique password.
I need to set the 2FA, but will wait a day or two until there is better response.
I was curious to see if this would effect my Gedmatch Matches. When I looked, I did not seem to have excessive new matches. This has the potential to play havoc at GEDMATCH
23&Me should keep lists of logins and the platforms they are accessed from. This could sort out a lot of problems for accounts with active users.
Probably not much help, if the user is no longer active.
I wonder if the entire structure of DNA sharing will have to change. The methods we use are all basically the simple approaches used from the early days of genetic genealogy. I am not sure what this would look like, but I suspect that convenience would suffer mightily.
I also received an email a few days ago saying I had been compromised via a connected relative. I changed my password as required, but was not aware of the extent of the issue until reading this excellent assessment. I have followed your advice and removed all my connections. I also cancelled all sent requests to connect which had not yet been replied to. One thing I noticed that even though I deleted all sent requests (6), when I displayed my connections again, there were another 5 pending requests, so make sure your connections is completely empty before logging out.
Thank you
Thank you Roberta, for this very useful post.
I received the email yesterday. So much for the specific ethnicities being targeted. I am none of the them listed. Thank you for all your blogs.
I have also gotten the impacted notice from 23andme. My question is, what exactly can this hacker do with this data? Of what use is it to him? That’s what I don’t really understand.
I do understand but I don’t want to speculate publicly about the generic information. It can be used to target people of certain ethnicities or identify your relatives. For one thing, on the business side, it can be used as leverage to extract $ or sold to the highest bidder or to ruin a company.
23andMe > Settings > Payment method
Does this mean that the bad actor signed into an account can view the payment method if set?
I don’t know. Look in your account and see if payment method is retained and visible. Generally it’s not on most websites. But if you can do it, they can do it if they sign on as you.
I had a unique password. Received the RESET YOUR PASSWORD email from 23andMe last week. Changed it to another unique 20+ character password. Received the newest email from them that my data had likely been compromised through a 23andMe “Connection”. No further details other than what’s been summarized in this blog.
Current subscribers to 23andMe get 5000 DNA matches, NOT 4500, plus any others they have “connected” with. For me, that’s a total of 5014 matches. I’ll consider 2FA as a possibility, but not jumping on *that* bandwagon.
I lived through 4 data breaches in 2016, all connected somewhat through my employment with the U.S. government, although I’d been retired over 4 years at the time of data breaches. My health insurance data was breached via Blue Cross/Blue Shield which was the keeper of data for the affiliate health insurance I had at the time “BlueChoice.” Blue Choice was breached shortly thereafter. And my government security clearance information was hacked along with a lot of of other Federal employees, Federal retirees, Federal job applicants, and Federal contractors around the same time. I don’t think the U.S. government ever publicly said who the “bad actor” was, but the Chinese government was mentioned in news stories about the data breaches at the time.
Thanks Roberta, I’m glad you are on the case. Any insight into MyHeritage, which seems to have blocked the chromosome browser feature? I haven’t even seen where they put out a notice.
To my thinking the Raw Data Download should require 2FA and/or other special considerations. As for the rest of it, with massive matchlists (okay, 23’s lists are truncated, I get that) it wouldn’t take too many people to join as explicit bad actors to be able to scrape significant portions of the data. That’s always been a risk. I hope they will tighten up the Raw Data Download and restore the rest of it. But if you or anyone else knows some special risk that comes from an understanding of the matching data, I’d love to know. I mean we still all have our genealogy trees out there!
Thanks again you are truly doing the community a service.
MyHeritage is acting out if an abundance of caution until more is known. They are also in the middle of a war over there.
If I download my raw DNA data. Can I delete my DNA 23andMe and then close my account? I think that that would be the most effective method?
Yes you can. You don’t be able to restore that account at 23andMe.
I’ve gotten 2or3 emails from 23andme about this.
I didn’t really expect any information I put on my profile for all my matches to see to be all that private. Not sure that it matters all that much whether a hacker using someone else’s account can see my profile info.
Your location, your birthdate, to begin with.
I decided to try to download my match list. It does give the option to do. Even a link when it is ready but then the message comes up that the file is empty. In this process I see other options on this page. I do not know how to get to this page except through a link from my email. I tried to locate it through the menus and could not find. I am unaware of what some of these downloads are and can do for further research.
23andMe Data
Download your Personal Information from 23andMe. Choose what you would like to download.
Reports Summary
Ancestry Composition Raw Data
DNA Relatives Data
Family Tree Data
Raw Data
Imputed Genotype Data R6
Phased Genotype Data
Profile Data
Delete Data
That’s one of the things they have removed subsequent to the breach.
I believe a link to the page RH indicates (with the “Download your Personal Information”) can be found on the User/Settings page. Scroll down to the bottom, where it says “23andMe Data,” and the first item is “Download your Data.” Click on the “View” button. That will get you to the “23andMe Data” page. If someone had access to your account, there is a lot they can download here, but some is sent to your email. I had downloaded or requested most, if not all, of the items on that page in 2022, for myself. In our profiles, I had not entered correct birth dates for me or my parent who had tested.
• The Reports Summary was 7 pages long for me, and aside from Ancestry Reports, contains what is also on your Health & Traits/All Reports page (4 with asterisks):
– *Health Predisposition Reports (mine says 9+ reports available)
– *Carrier Status Reports (44+ reports for me)
– *Wellness Reports (8+)
– Ancestry Reports (6+, seems the same as menu item Ancestry/All Ancestry Reports)
– *Traits Reports (33+)
(this page links to a printable Reports Summary)
• Ancestry Composition Raw Data (download): this is a .csv file which shows ancestry (by category, i.e. British & Irish, etc.) for both alleles (maternal and paternal, not labeled as such), and the start and end points on a chromosome for the particular allele. This is at 50% confidence threshold unless you change it at the bottom of your Ancestry/Ancestry composition page.
• The Family Tree Data is downloaded as a .json file. This is the tree 23andMe creates based on your DNA matches. Description says: “This may include information such as the positions of genotyped and self-reported relatives, and any biographical or health information you have self-reported about yourself and your relatives.”
• Raw Data (emailed): plain text file of your raw genetic data (A, T, G, C); you request it and they send via email to you.
• Imputed Genotype Data R6 (submit request to download, notified by email) – for me, all it had was a .txt file that said “No data found in this category.” You need to check a box to indicate you read a statement before the download button is active.
• Phased Genotype Data (submit request to download, notified by email) – I don’t seem to have requested this. Same thing with statement and checked box as above.
• Profile Data: you can check boxes to choose any of the items below, and request a download. They notify you by email. It can take up to 30 days to process this. The results are in .csv format.
– Account Event History – this goes back as early as the creation of your account. It has your name & sex, IP address used for each “event type” (logins/outs, password changes, and many other things), “feed item ID,” which is reports and articles, with dates for the latter two (event type & feed item).
– Addresses – your street address, state, ZIP code, country, and your name.
– Ancestry Books – not sure, I only had a readme file in mine.
– Clickstream Data – date of visit, browser & version, “user agent” (device used, i.e. desktop, etc.), device category (operating system & version #), screen resolution, location (town, metro area, region, country), URLs of 23andMe pages in your account that you visited.
– Computed Data – .csv file: mine has over 12,000 lines; your sex; haplogroups; neanderthal info; population proportions from 50-80% confidence, trio phased with one parent (in my case, one of my parents had tested)
– Consent History – categories of: legal document (i.e., TOS, informed consent, biobanking); status (accepted or other); time created and time updated.
– DNA Relatives Annotations – I don’t have this one
– Game Logs – no data found, for me
– Lab Values – no data found, for me
– Name Change History – ditto
– Notifications – I don’t seem to have this
– Order History – email address, full name, order ID, phone #, price (paid for product), product name (i.e. Personal Genome Service or other), date created (account). Some headings for Conversion rate and currency.
– Passive Activity – no data found, for me
– Phenotype Data – this file contained column headings for about me, ancestry ID (for surnames and places), some columns continuing from the previous heading. Also showed the tester’s birth date and birth year.
– Product Feedback – appears to be for the Family Tree, and if you submitted any comments about it.
– Profile Group Tag – no data found, for me
– Recommendations Data – don’t have this one
– Shared Reports – no data found, for me
I had another in my Profile Data):
– Derived Phenotype Data – attribute, and value headings. Various mixed descriptions, from reported ethnicities to activity during sleep to research portal consent.
Thank you
I was notified that I was affected but I’m not sure what if anything I need to do. Somewhere in the past I told 23andme to log me in with Google and that is currently the only way I can login. Does that mean I’m really OK or does it mean I need to change my Google password?
I’m sorry. I don’t know.
I got the email so apparently I was part of this leak. The problem is they can tell us to do two factor and change our password, but that is meaningless. My account is secure with an impossible password, but yet here I am ‘hacked’ because of the thousands of shared matches who did not secure their account. Now we have no shared matches at all. Everything that is in my profiles, I truly do not care if someone is reading. It’s much the same as the public AncestryDNA profiles. Don’t put something there you don’t want people to see. Anyone can see your public profile pages.
The CEO of 23andme doesn’t even like genetic genealogy, so I am worried about the future of our hobby. If it becomes too much of a hassle, they could remove it just like they removed the triangulation tools without any warning. I still think it is ALL connected. And now apparently MyHeritage has removed segment information. Too many coincidences for me.
MyHeritage removed them as soon as it was clear there was some problem in an abundance of caution. If the hacker truly is targeting Jewish people, do you really want them knowing who your Jewish children and grandchildren are?
Especially with the war between Israel and Hamas.
Um…of course not. Not really understanding your reply given my comment.
You said not to put something there you didn’t want other people to see. My point was that the information wasn’t just what you put in your profile. It’s who you match and their relationship to you, and to each other. And corresponding ethnicity. Some people included the city where they lived. That combination of information provided to a hacker and in the wrong hands could be deadly.
I am wondering about how much data was actually accessed. If no data breech occurred on the 23andMe servers where entire data bases could be downloaded that means that an unauthorized person would have to manually logon, navigate to the information they want and then initiate a download of that one account’s data. It would seem to be very time consuming to do this thousands of times when there is not a monetary payback at the end of effort. Am I thinking about this correctly?
Yes. I have the same questions. It could potentially have been scripted though. So maybe not manual. Still, that’s a lot to remain unnoticed.
I do remember Myheritage was hacked a number of years ago. They made me create a new password. Does anyone remember this and what was affected ?
Here’s the link to my article. Emails and some other info was taken, but no DNA information. https://dna-explained.com/2018/06/05/myheritage-data-breach/
I used the Authy 2 step verification app to add that to my 23andme account (took several attempts but finally got that setup) and also to MyHeritage account. It works well at both sites. Set up 2step verificiation also at Ancestry. FTDNA doesn’t currently have that capability for 2step verification ( that I could find) and I’m wondering if that might be in the works?
new test being offered with subscription at 23andme
https://www.23andme.com/total-health/
I saw that an hour or two ago and I have to say, I’m utterly stunned. That’s just shocking – to introduce something so incredibly personal in the midst of a data breach when the people who were originally compromised don’t even know who they are yet. Like, no one is going to notice or care? I would have thought they would understand the depth of this incident first, apply remediation, and assure that everything is actually safe before introducing something like this. Wow. Just wow.
Not only that, but look at that price. Just under $1200 PER YEAR!!!
yes, I was shocked at the price. It looks like it is exome testing and not full sequence testing. Some of the full sequence testing websites do offer health info. I just do not know all the details. Exomes are supposed to be the codeing part of dna so would of interest for health. I had thought that the move was to use full sequence testing for research and health because the costs have come down and there are a lot of unknowns that are discovered with full sequence. But I am not an expert in this.
Concerning the timing, they may have already planned to do this and decided to not put on hold or perhaps were not able to put on hold. Maybe they know more about the data breach than what they are telling us. Part of the breach from my understanding was users that were not responsible about their passwords. I am not sure how they know or how many users use same password on their own websites. It would seem though that the other dna websites would also be hacked for those users that use the same password. Maybe there is something about 23andme website is more attractive than the other dna genealogy websites.
You’re exactly right. Exome. I had that done 10 years ago. This is not a test of discovery. I’m amazed, especially at that price, it isn’t WGS. This is tone deaf at best.
they recently increased their prices for all their tests. Much higher than the other websites. So that is their current thinking. 23andme was a viable option but with the price increase I wonder if people will still do.
COMPARE is the big problem for me, but it turned into an opportunity.
I hadn’t even noticed you could download your segment matches until another blogger mentioned it. Now I am finding some interesting stuff from loading the segments at DNAPainter.
But would I now recommend 23andMe to someone else looking for family?
As a last resort for a beginner – it’s just too hard now without some DNA genealogy experience.
23andme is having a 50% off sale so their attitude is to continue and move on.
I see a message on ancestry that they will be requiring two step verification in the future.
You can
Ancestry
I know you can now. The message is they are going to be requiring it and are warning everyone to be prepared.
I tried to see the recent account activity that you discussed but I could not find the tab. I looked at settings under the profile. Is is different if you do not have the 23andme plus?
I was notified that my 23andMe account was one of the accounts that was compromised. I had read that the hacker was particularly targeting Ashkenazi Jews and Asians. I am not Asian. I am an Ashkenazi Jew, but there is absolutely nothing in my 23andMe account that would indicate that. In addition, I have never seen any DNA relatives on 23andMe who have self-identified as Jewish. I did, of course, change my password, and I have the 2-step verification now.
Well, I just went back into my settings, and apparently I did self identify as Jewish.