Site icon DNAeXplained – Genetic Genealogy

23andMe Concludes Their Investigation – 6.9 Million Customers’ Data Exposed

Roberta Estes

On October 10th, 23andMe filed a document with the SEC stating that a “threat actor” (hacker) had accessed about 0.1% of their user accounts. That amounts to about 14,000 compromised users, according to their May 2023 earnings report where they state that they have about 14 million users. In addition, the hacker accessed their matches, and potentially matches of matches, through DNA Relatives.

I wrote about the initial compromise in three articles as information unfolded.

  1. 23andMe User Accounts Exposed – Change Your Password Now
  2. The 23andMe Data Exposure – New Info, Considerations and A Pause Strategy
  3. 23andMe: DNA Relatives, Connections, Event History Report and Other Security Tools

I expected that 23andMe would provide additional information directly to their customers as their investigation proceeded and concluded.

They have not published a new blog article nor notified customers directly.

They updated their original October 6th blog article on both December 1st and 5th, stating that their investigation has concluded and the results.

23andMe stated that:

This is a bit confusing because they already HAD notified many people of the original compromise event, that their data had been affected, and forced a password reset. I’m unclear whether this means an additional notification will be sent, or that the earlier notification is what they were referencing.

I’m also curious about the “as required by law” comment, as laws vary widely between countries and even states sometimes. Are they only notifying people to the extent required by law where the customer lives? This would seem both impractical and confusing when some people receive breach notices, and others do not when both are equally affected. Or is 23andMe trying to say they are complying with applicable laws?

This is also confusing because, in additional details, 23andMe states that the hacker (threat actor) “used the compromised credential stuffed accounts to access the information included in approximately 5.5 million DNA Relatives profiles and 1.4 million Family Tree features profiled, each of which were connected to the compromised accounts.”

The math doesn’t add up. Every test (account) has one AI-generated family tree. If 1.4 million family trees were exposed, and each fully compromised account has one family tree, doesn’t that mean that (minimally) 1.4 million accounts were exposed, not 14,000? That’s 100 times more than 14,000 accounts. Is the decimal in the wrong place?

Is 23andMe perhaps counting the number of people in those trees? I find it difficult to believe that everyone’s trees have 100 people. Mine only has 15 people, and all of them are my highest matches on my DNA Relatives match list, so they are already included in that breach number of 5.5 million. Assuredly, 23andMe is not double counting exposed individuals, so they would not be counted in both places.

Adding together 1.4 million family trees and 5.5 million exposed DNA Relatives, a total of 6.9 million customers have had data exposed in this breach. Apparently,1.4 million people were directly exposed, or their trees could not have been exposed because no one can see your 23andMe-provided tree other than you, and 5.5 million exposures via DNA Relatives matching. Exposed information would have also included your matches matching each other, even if their accounts were not directly compromised.

6.9 million is approximately half of the 23andMe 14 million total customers.

What 23anMe doesn’t say is how many customers, of the 14 million total, actually participate in DNA Relatives. Many of their customers only test for health and traits information, and do not opt-in to DNA matching. Those customers would NOT have trees generated, so would NOT be included in that 1.4 million trees generated, nor the 5.5 million exposed DNA Relatives. Those customers would be in addition to those numbers.

To be clear, you can’t assume that you’re in the clear just because you’re not using the genealogy aspect of 23andMe. Of course, it’s very unlikely that any customers not involved with genealogy will ever see this article.

Protections

23andMe has implemented additional industry-standard security protections for customers to prevent a recurrence.

Why This Matters

I realize that many people are very unhappy about 2FA, MFA, or 2SV, which are different names for the same thing. However, given the magnitude of this exposure, it’s the responsible step for 23andMe to take.

Those techniques are based on something you know plus something you have or have access to. The something you know is your sign-in and password, and the something you have access to is your phone or email to retrieve a code. A bad actor, unless they stole your phone or have also compromised your email account, won’t be able to obtain the six-digit 2FA number mailed or texted to you.

I know this is somewhat inconvenient, but I’d like to explain why this level of security matters.

Let me give you a brief example. Let’s say that I’m a Jewish person, and the threat actor is interested in harming Jewish people. Based on my ethnicity, I can be clearly identified as Jewish. Therefore, my children and closest relatives can also be identified as Jewish. The tree generated by 23andMe tells the hacker how people fit together, and my closest relatives are clearly identified.

Their names are exposed along with, potentially, their locations, photo, birth year, and other clearly personally identifying information.

Don’t want to think about this in terms of Jewish people? Think about it in terms of any “us versus them” discriminatory situation or even in terms of a domestic violence perpetrator or a stalker gaining access to your children’s information.

Now think about identity theft, which seems benign in comparison to your safety and being targeted, but identity theft is still a very real threat and can wreck your life.

The bad actor (and anyone who buys the compromised data – your information) has enough information to do serious harm, one way or another, depending on their motives, to every person whose information they obtain.

That information may be for sale on the dark web or in some data dump somewhere. We don’t know and will never know who has it and their motivation for obtaining it.

Even if you don’t personally care what is exposed about you – due to trees and matches and information that is typically NOT exposed publicly – you’re connected via matching to OTHER PEOPLE whose data has been exposed because they match you – and your data was breached. Like it or not, we’re all in this together.

Genetic genealogy is a team sport. That’s why we love it. That’s why the hacker loves it, too. So do the hacker’s “customers.”

Most websites have moved or will be moving to 2FA shortly. All “social sites” where people interact with each other one way or another are major targets and are moving in the 2FA direction, too. Just this past week, a dear friend’s entire Facebook account was hacked and subsequently permanently disabled, meaning it’s gone, forever, all within 15 minutes. He lost 11 or 12 years of his life, journaled, along with MANY family and other photos that are no longer on his phone or anyplace else.

All of this pales in comparison to what would happen to your bank account, retirement account, or other financial vehicles. If someone reuses passwords in multiple locations, they are likely to continue the behavior across several accounts because they want to be able to remember the password. This increases the chances DRAMATICALLY of becoming a victim.

2FA is a new way of life that protects us all, and yes, it’s inconvenient, but then again, so are seat belts, and everyone wears those.

Don’t blame the companies who are trying to keep us safe, often in spite of ourselves. Companies certainly don’t relish the idea of angering or inconveniencing their customers, which is probably why they didn’t do it sooner. Blame the bad actors who necessitate this step.

Terms of Service Change

While 23andMe didn’t directly notify customers about the results of their investigation, that it is over, or the people whose accounts were directly compromised – they have sent emails about a change in their terms of service (TOS).

23andMe has upgraded their TOS (terms of service), here, to include mandatory arbitration of disputes, which precludes jury trials or class action lawsuits. In all caps, no less.

And yes, if you’re wondering, class action lawsuits have now been filed in both the US and Canada.

I’m not a lawyer, but based on the language, the new TOS appear to affect all 23andMe customers going forward UNLESS YOU NOTIFY 23andME OTHERWISE.

I received this email on December 5th for one of the tests I manage, and it states that the updated TOS go into effect in 30 days UNLESS YOU NOTIFY 23andME, in which case you will be held to the earlier terms.

Here’s the applicable section, as provided by 23andMe in the Dispute Resolution portion of their TOS, here.

If you do NOT agree, click the “notify us” link in the email, which opens a new email to legal@23andme.com to notify 23andMe.

Remaining Unanswered Questions

23andMe stated that they learned about this breach in early October, but as reported in my earlier articles, some of their customers’ data was reportedly available for sale as early as August 2023. 23andMe does not mention this, so we don’t know if that is a different breach, or if those numbers are included in the 6.9 million 23andMe customers whose accounts have been compromised.

I’d like to know if my account was actually compromised, meaning signed in to, or was my account compromised solely through DNA Relatives matching? It makes a difference in terms of how much of my and my family’s information is exposed.

I assumed that 23andMe would provide people with additional information, but to the best of my knowledge, they have not. Has anyone received an email telling you that your account was personally compromised, meaning signed in to? My notification from 23andMe and the others I’ve seen all say the same as mine, sent in late October, below.

After further review, we have identified your DNA Relatives profile as one that was impacted in this incident. Specifically, there was unauthorized access to one or more 23andMe accounts that were connected to you through DNA Relatives. As a result, the DNA Relatives profile information you provided in this feature was exposed to the threat actor.

Based on our investigation so far, we believe only your DNA Relatives profile attributes were exposed.

Did anyone receive an email that says their account was one of those directly compromised, meaning NOT through DNA Relatives?

Return of Features

Many people have been asking about the return of features that were “temporarily” disabled.

Sadly, 23andMe has provided no update on this topic.

Unfortunately, these features include nearly all of the tools that genealogists use, except for individual matching, the 23andMe-created genetic tree, and haplogroups.

We’ve lost the ability to determine how our matches match us through shared matching or triangulation. We now have no way to determine which side, maternal or paternal, a match is on because we can’t tell who else they match or “how” we match them.

I know that genealogy hasn’t been a priority for 23andMe for some time. Medical research is their focus. On October 30th, 2023, 23andMe signed another $20 million one-year deal, plus potential future drug royalties, with GSK for access to the 23andMe database of customers who have consented to medical research.

Genealogists have been an important source of testers in the past because many opted-in for medical and drug research. However, unless 23andMe returns the genealogy functionality, they’ve removed nearly all incentives for genealogists to test there.

If genealogists can’t do genealogy, why would genealogists purchase or recommend their test?

I’m glad I did not repurchase the updated DNA test that would allow me to subscribe to a premium membership to receive 5000 matches instead of 1500 matches. Initially, that membership required purchasing a new test, plus $29 per year, but the membership has now been raised to $69 per year. In August 2023, when their original agreement with GSK expired, 23andMe raised their test prices and laid employees off. I wrote about the August changes here.

Of course, that was about the same time as the original August data exposure, which was followed by the October data exposure, assuming those are two discrete events. 23andMe was clearly experiencing significant financial difficulties, and the 1-2 million spent on the data exposure investigation would have added to those woes.

Regardless, without tools, matches simply aren’t useful. There has been no mention of refunds to people who have subscribed and cannot effectively use the higher level of matches they are receiving. Those of us who haven’t subscribed can’t use ours either.

At this point, 23andMe would be my last testing choice of the four major vendors. I probably wouldn’t recommend them unless someone is searching for an immediate family match, such as an unknown parent or close relatives, and has been unsuccessful elsewhere. Without genealogy tools, unless 23andMe can place a match in the genetic tree they provide, or the match is either very close or previously known, there’s no way to determine how you are related.

Clearly, the investigation and security measures had to be their #1 priority, and patience was in order. But now that the investigation is complete, I hope 23andMe gets this straightened out, returns functionality, and provides additional information to their customers soon

______________________________________________________________

Sign Up Now – It’s Free!

If you appreciate this article, subscribe to DNAeXplain for free, to automatically receive new articles by email each week.

Here’s the link. Just look for the black “follow” button on the right-hand side on your computer screen below the black title bar, enter your e-mail address, and you’re good to go!

In case you were wondering, I never have nor ever will share or use your e-mail outside of the intended purpose.

_____________________________________________________________

Follow DNAexplain on Facebook, here.

Share the Love!

You’re always welcome to forward articles or links to friends and share on social media.

If you haven’t already subscribed (it’s free,) you can receive an email whenever I publish by clicking the “follow” button on the main blog page, here.

You Can Help Keep This Blog Free

I receive a small contribution when you click on some of the links to vendors in my articles. This does NOT increase the price you pay but helps me to keep the lights on and this informational blog free for everyone. Please click on the links in the articles or to the vendors below if you are purchasing products or DNA testing.

Thank you so much.

DNA Purchases and Free Uploads

Genealogy Products and Services

My Book

Genealogy Books

Genealogy Research

Exit mobile version