Site icon DNAeXplained – Genetic Genealogy

The 23andMe Data Exposure – New Info, Considerations and A Pause Strategy

Roberta Estes

As most of you know, 23andMe has been suffering the effects of what appears to be a significant data compromise, meaning many of their customers’ information has been compromised or exposed.

Here’s the latest news indicating that information from millions more accounts has been offered on the dark web, along with 23andMe’s latest update, here.

I’ve been trying to keep up with the changes, and I must tell you, the hacker’s quotes in that Cybernews article chill me to the bone.

Furthermore, the depth of this issue is still unfolding, with a report of an earlier August breach.

What Has Happened

Essentially, due to users who have reused and recycled passwords, a bad actor was able to sign on to many customer’s accounts, directly, acting “as” the customer, which allowed them to:

Anything you can do or see, they could do or see because they were signed on as “you.”

That’s a lot, and I’m sure that 23andMe is struggling with how to keep their customers safe, especially since this data compromise was reportedly not due to a breach or “break-in” of their system or site, but due to social engineering failures. It’s also difficult to sort the truth from the rest.

Right now, things are moving so fast on this front that every time I have an article ready to publish, something else changes. I’m going to share what I do know, and what you can do.

Some Users Have Been Notified

I know of at least two people who have been notified by 23andMe that their data was exposed in the compromise, receiving the same email. The communication was nonspecific, partially extracted as follows.

After further review, we have identified your DNA Relatives profile as one that was impacted in this incident. Specifically, there was unauthorized access to one or more 23andMe accounts that were connected to you through DNA Relatives. As a result, the DNA Relatives profile information you provided in this feature was exposed to the threat actor.

Based on our investigation so far, we believe only your DNA Relatives profile attributes were exposed.

They did not say, nor do I know how 23andMe identified those customers.

This only applies to people whose information was partially exposed as a match to a compromised account. I don’t know if they have identified the compromised accounts and are notifying those people, too.

Given the reported magnitude of this exposure, I wonder why only two people have mentioned being informed. None of my accounts have been informed, nor those of family members.

Using Email as a User ID

Using an email address as half of your user ID essentially gives that piece of the puzzle away.

It makes users particularly vulnerable because bad actors only have to obtain the second half – a password. That’s a lot easier than you’d think.

If nothing else, this 23andMe incident illustrates just how many people engage in unsafe security practices.

Not all vendors utilize email as part of your user id, and those that do often utilize other safety practices, including but not limited to two-factor authentication (2FA.)

Forced Password Reset

Several days ago, 23andMe forced their customers to reset their passwords before signing in. Of course, by that time, millions of cows had already left the proverbial barn. Still, that was certainly the responsible thing for 23andMe to do, preventing additional damage, assuming their customers didn’t reuse yet another password.

I finally managed to reset my password, although that was anything but easy. In order to do a password reset, the standard procedure and the one 23andMe follows, is to send a reset link or key to your email address on file. However, if you changed your email, or it has been “blacklisted” because your carrier was down at some point when 23andMe tried to communicate with you, or the reset email wasn’t received for some other reason, you have to contact support to obtain assistance. Needless to say, 23andMe support is overwhelmed at this point.

23andMe has provided a Privacy and Security page, with suggestions, here.

Two-Factor Authentication

23andMe has NOT required their customers to implement two-factor authentication, known as 2FA.

They DO provide an option to enable 2FA, and I recommend that you do so. Generally, this means that every time you sign in, as part of that process, after entering your password, 23andMe will text a code to your phone or email one to you, or you can utilize a third-party authenticator application. Essentially, this adds a a third step that communicates with you through some methodology that you control, in addition to your username and password. Yes, 2FA can be a pain, but it works. You’ll find information, here.

The Relatives in Common Change Before the Compromise

I was writing about this change when all Hades broke loose with this data compromise.

A week or two prior to the compromise, 23andMe made what may have appeared to them to be “cosmetic” changes, but to genealogists, 23andMe made genealogy and triangulation much more tedious and difficult. Certainly not impossible, just requiring several steps instead of one.

Previously, Relatives in Common under DNA Overlap said “yes” or “no.” Yes meant that me, a match (Tim), and a third person (Tony) triangulated. No meant we all matched each other but no triangulation.

The 23andMe change replaced yes and no with “Compare.” That meant that customers were required to complete the following steps to get to “yes” or “no.”

It went from easy to painful, and now, since the compromise, it’s gone altogether.

Before I move on to what else has changed, I want to comment on the original change. I don’t think it’s connected to the current exposure situation, but I have no insider knowledge.

Given my background in technology, creating a permanent yes/no link means storing the relationships of each DNA segment to your matches, which quickly become a HUGE three-dimensional matrix. Storage requirements would be substantial. If you only compare three people when requested, those storage requirements disappear. Storage = $$$, and 23andMe has been struggling financially for some time.

23andMe stock is down 62% year to date, 72% since this time last year, and 92% over five years.

Based on this data, my assumption was that 23andMe was trying to save money, shaving anything anywhere it could. Genealogists were hoping to convince 23andMe to reverse their decision, but now it’s a moot point because DNA Relatives is gone altogether, at least for now, and 23andMe has much, much larger fish to fry.

23andMe Update

23andMe provided an update on their blog about changes they’ve made related to DNA Relatives, here.

However, DNA Relatives is ONLY HALF THE PROBLEM. 23andMe did not address the rest.

  1. A Direct Compromise – Your data was very clearly compromised IF YOUR ACCOUNT WAS DIRECTLY COMPROMISED. This means the situation where the bad actor was able to sign on to your account as you because your email and password were found in other data breaches. If you’ve ever reused a password, you have no way of knowing if your account was compromised and you must assume it was.
  2. Compromise Through DNA Relatives Matching – Your DNA Relatives information, as described in this 23andMe link may have been compromised, meaning revealed if ANY OF YOUR MATCHES’ ACCOUNTS WERE COMPROMISED. In other words, your information shown to a match was exposed if any of your 1500 (non-subscriber) or 4500 (subscriber only) matches had their account directly compromised – meaning signed into because they reused a password. Less of your data was compromised than in a direct exposure, but some of it very clearly would have been exposed in this scenario.

The link 23andMe provided only addresses what can be viewed through DNA Relatives. They did not mention health information if you and any specific match have authorized that level of sharing. I have not.

That’s not all, either.

If Your Account Was Directly Compromised, Your RAW DNA File Could Have Been Downloaded

If YOUR account has been signed into, the bad actor is functioning as you, and they can download your raw DNA file, which means they could upload it elsewhere. The hacker mentioned that specifically.

You do have to request a download at 23andMe. A notification is sent to your email when the download is ready, BUT, you don’t actually need that email to retrieve your download. If you simply sign out and back in again, and return to the download function, a notification awaits you that your download is now ready. Just click to download.

If your email address used at 23andMe is functioning correctly, you would have received a notification that you had requested a DNA file download. If you received a notification like this in the past few days/weeks/months, and you did NOT request a download, please inform 23andMe immediately. This could be one way that 23andMe might be able to determine whose accounts were directly compromised, and therefore whose accounts were indirectly compromised using DNA Relatives.

In my case, I was not receiving email notifications from 23andMe because my account had been blacklisted due to carrier issues, so I would never have received that email.

If your account was one that was compromised, your file may have already been downloaded. Check your inbox and spam folder to see if you have any notifications from 23andMe that escaped your notice.

It Could Still Be Happening

23andMe can only do so much.

They can force users to select a new password, but they can’t prevent people from reusing a different password, which means that the bad actor could still be trying to sign on to accounts – and getting into some.

Genealogy, including DNA is a team sport. We have to depend on our matches.

23andMe could force everyone to use 2FA, but so far they have not opted to do that, probably because it would be very unpopular.

Additional Changes

The following DNA Relatives features have either been temporarily or permanently disabled or removed:

However, other tools such as the family tree which shows relationships and health sharing are still available.

At 23andMe, What Can You Do?

Truthfully, I’ve been a hair’s breadth from deleting all of my tests at 23andMe for days. I manage two tests of my own and other relatives’ too.

23andMe has never been committed to genealogy and was always the least useful site for me. Having said that, I have had some close and very useful matches there that aren’t elsewhere.

I’m certainly never testing there again, but I really don’t want to give up on 23andMe altogether, at least not yet. I’ve already paid for several tests, and I would lose valuable information today, and the potential of the same in the future.

We can’t undo any damage that has already been done. That ship has sailed. However, we can take steps to protect ourselves, both today and tomorrow. In other words, we have options other than deleting our tests.

I’ve decided to pause, at least for now.

The Pause Strategy

Only you can protect yourself by selecting a unique, strong password. Not just at 23andMe, but every site you use on the internet for any purpose.

Until and unless 23andMe requires 2FA, you need to decide on a strategy to protect yourself from other people’s negligence.

You don’t have to permanently delete your tests. Instead, you can disable DNA Relatives, which means matching.

I’ve opted-out of DNA Relatives while waiting to see what happens as 23andMe works through this quagmire. That means that I’m not participating directly in matching anymore. I’ve also opted all of the tests I manage out as well. I can always opt back in when this problem is resolved, if that ever happens.

Opting-Out of DNA Relatives

Here’s how to opt-out.

Under the Ancestry tab, select DNA Relatives.

Click on Edit profile.

Scroll all the way to the very bottom.

At the bottom, click on “I would like to stop participating in DNA Relatives.

I clicked on “Finish,” then verified that this profile is not shown as a match.

My profile prior to disabling DNA Relatives looked like this:

These same fields after disabling DNA Relatives.

Unfortunately, it does not appear that you can disable Connections broadly.

Apparently, you need to disable Connections one by one. I know that Connections can still see you, but they can’t see everything. You can find instructions here.

What I’d really like is an “invisibility” function that simply stops all sharing by making me invisible until I want to be visible again, without deleting my accounts. I’m more than a little irritated that connections remained, other than within the accounts I actually manage.

I still have not decided if I will eventually retain or delete my accounts, but disabling DNA Relatives helps somewhat and buys me some pause time while I make a final decision about 23andMe.

Your decision may not be as difficult. In addition to my genealogy research, I depend on my accounts at the various vendors for instructional articles for my blog.

Minimum Two Steps

No matter what else you do, implement the following NOW:

  1. Use a unique, difficult-to-guess, strong password at every vendor. Here and here are some ideas and guidelines for strong passwords.
  2. Turn on 2-factor authentication.
  3. If you did not previously use a unique password at 23andMe, presume your data was compromised.
  4. If you have to assume your data was compromised, be hyper-vigilant of anything unusual or strange.
  5. Check to see if your email address associated with 23andme received a DNA file download request that you did not initiate, and if so, notify 23andMe immediately at customercare@23andme.com or 1-800-239-5230.

Other Companies

Other DNA testing companies are taking precautions and reviewing safeguards. Some have or may disable some features as they move through the process. Don’t be angry if a feature you depend on is gone for now.

The situation is changing very rapidly. I don’t know if the changes at the vendors, including 23andMe, will be permanent, and the companies probably don’t yet either.

Right now, overall, patience is the word as this mess sorts itself out – but while being patient, be sure to review your own safeguards and follow safe online practices.

_____________________________________________________________

Follow DNAexplain on Facebook, here.

Share the Love!

You’re always welcome to forward articles or links to friends and share on social media.

If you haven’t already subscribed (it’s free,) you can receive an email whenever I publish by clicking the “follow” button on the main blog page, here.

You Can Help Keep This Blog Free

I receive a small contribution when you click on some of the links to vendors in my articles. This does NOT increase the price you pay but helps me to keep the lights on and this informational blog free for everyone. Please click on the links in the articles or to the vendors below if you are purchasing products or DNA testing.

Thank you so much.

DNA Purchases and Free Uploads

Genealogy Products and Services

My Book

Genealogy Books

Genealogy Research

Exit mobile version