A hacker claims to have hijacked profile information of “millions” of users from the popular genetic testing site 23andMe.com.
What’s at risk? Some of the most personal info possible. The profile info varies by user, which plans and services they’ve selected, and how the hacker accessed it. Yet it potentially includes personal info like name, sex, birth year, current location, and some details about genetic ancestry and health results.
23andMe continues to keep its users informed of the hijacked accounts on its blog. As of October 9, they shared the following:
“While we are continuing to investigate this matter, we believe threat actors were able to access certain accounts in instances where users recycled login credentials – that is, usernames and passwords that were used on 23andMe.com were the same as those used on other websites that have been previously hacked.”
Currently, it appears that 23andMe’s systems weren’t breached. Rather, it appears human error is to blame—people who reused the same compromised passwords across different sites led to their accounts being compromised.
However, the attacker gained access to info from many users who were not themselves compromised but opted in for the DNA Relatives feature. According to 23andMe, DNA Relatives works like so:
If you choose to opt in and participate in DNA Relatives, all your matches will be able to view the following information about you:
- Your display name.
- Your profile gender.
- Your profile picture.
- Your predicted relationship.
- The percent DNA and number of segments you share, but not the location of those segments.
- Relatives in common.
This widens the impact of the attack yet more. Users who have compromised accounts might contain info from uncompromised accounts because both parties have opted in for the DNA Relatives feature. In this way, one hack potentially leads to broader information leakage. Even if the other users have secure passwords.
Per reports, the hacker claiming responsibility has offered it up for sale on a dark web forum. As an apparent example of how the data can be packaged, the hacker listed alleged data of one million Jewish Ashkenazi users—people of Central or Eastern European Jewish descent. Another has reportedly listed 100,000 alleged records of people of Chinese descent.
What steps has 23andMe taken to protect its users?
Per the company’s statement on its blog, “If we learn that a customer’s data has been accessed without their authorization, we will notify them directly with more information.” Moreover, the company said,
“Our investigation continues and we have engaged the assistance of third-party forensic experts. We are also working with federal law enforcement officials.
We are reaching out to our customers to provide an update on the investigation and to encourage them to take additional actions to keep their account and password secure. Out of caution, we are requiring that all customers reset their passwords and are encouraging the use of multi-factor authentication (MFA).”
Additionally, we suggest you take those steps and more.
The three steps every 23andMe user must take right away.
As potentially unsettling this news may come, 23andMe users can take the following steps. They’ll secure your accounts moving forward and help you fend off attempts at identity theft.
- Change your passwords immediately: Given the attack, 23andMe has forced all its users to reset their passwords. However, changing passwords is not enough. Every password must be strong and unique. For every account. If that sounds like a task, a password manager can help. It creates strong, unique passwords—and stores them securely. This way, you can avoid falling victim to attacks where bad actors try to use passwords stolen from one account to break into another. That’s the beauty of no-repeat passwords.
- Use multi-factor authentication (MFA): Many online accounts offer MFA, also known as 2-factor authentication or 2FA. It adds an extra step to the login process, such as sending a six-digit code to your phone with a call or text. If your accounts support this, use it. It makes it far more difficult for hackers to break into your account—even if they end up with your password. Also, never provide an authentication number to anyone else. It’s yours, and yours alone. Treat it like the secret code it is. Specific to 23andMe users, you can enable MFA with the instructions on this page.
- Monitor your identity, credit, and transactions: In the wake of any attack where your personal info might be at risk, keep an eye on all things you. Your bank accounts, credit cards, online finances, and your credit rating. Hackers view personal info as a gold mine. Rightly so. With it, they can go on to compromise other accounts or commit other identity crimes. Like file insurance claims or open new lines of credit in your name. Comprehensive online protection software can help you spot unauthorized account activity, changes in your credit report, or if your personal info winds up on the dark web. It saves you hours and hours of effort, and it gives you assurance that all’s well with a quick glance.
Look into identity theft protection
Our Identity Theft & Restoration Coverage can help you set things straight if identity theft happens to you. Licensed recovery experts can take steps to repair your identity and credit. Further, you gain up to $2 million in coverage for lawyer fees, travel expenses, and stolen funds reimbursement. This offers you stronger assurance lifts the time and financial burden of identity theft off your shoulders.
And for everyone, consider what you share online.
Far and beyond 23andMe users, everyone who goes online should take note of this attack. Which is pretty much all of us. It makes one of the strongest cases for strong, unique passwords—and for limiting the info you share online. In this case, even a secure password was no help in protecting the personal info of millions of people.
If you’re a 23andMe user, you can opt out of DNA Relatives by selecting the Manage Preferences option within DNA Relatives or from your Account Settings page. Granted, this will remove your ability to gain deeper genetic insights from other users, yet it will offer additional protection if a similar attack occurs.
For all of us, sharing and storing personal info is a fact of life online. The more you share and store online, the more risk you take on. And you have some control over that.
Consider what you’re sharing, who you’re sharing it with, what they do with that info, who they share it with, and in what form and circumstances. Yes, that’s a lot to consider. Complicating that yet more, many of the sites, services, and apps we use don’t make it easy to answer those questions. Terms of service and data policies rarely make for light and understandable reading.
Luckily, you can turn to trustworthy resources to get answers. The Common Sense Privacy Program evaluates privacy policies with K-12 students in mind. The Mozilla Foundation’s Privacy Not Included website scores apps and connected devices for privacy, including apps, smart home devices, and cars.
In an otherwise murky landscape, the privacy question is this: is the reward worth the risk? If you share that info, are you okay with someone unwanted accessing it? Particularly if the privacy risks are tough to spot.
Put simply, less sharing means more privacy. Put careful thought into when and where you share. And with whom.
Shut down your old accounts for yet more privacy and security.
On that note, it might be time for a cleanup.
We’ve logged into all kinds of things over the years. Many of which we don’t log into anymore. And others we’ve completely forgotten about. Across these forums, sites, and stores, you’ll find your personal info to some degree or other. If one of those sites gets compromised, your personal info stored there might get compromised too. That gives you a solid reason to delete those old accounts.
A tool like our Online Account Cleanup can help remove your info from online accounts. You’ll find it in our online protection software, along with our Personal Data Cleanup—which helps remove your personal info from risky data broker sites. It shows you where your personal info was found, and what data the sites have. Depending on your plan, it can help clean it up.
The 23andMe compromised data—a wakeup call for all of us.
The 23andMe story continues to develop. Yet we’ve already (re)learned a big lesson from all of this. Strong, unique passwords are an absolute must. And the stakes for online privacy have never been higher.
Today we entrust the internet with so much, which increasingly includes our heath and wellness info, not to mention genetic info with services like 23andMe. Taking the steps outlined here can help protect yourself from invasions of privacy and the loss of personal info. And as we’ve seen, protect others too. Consider them whether you’re a 23andMe user or not.
Follow us to stay updated on all things McAfee and on top of the latest consumer and mobile security threats.