In October, a hacker claimed to have hijacked profile information of users from the popular genetic testing site 23andMe.com. Now the company has put a figure to that – some 6.9 million people. Roughly half of 23andMe’s user base.
What’s at risk? Some of the most personal info possible. Per the company’s statement to Techcrunch, this included “the person’s name, birth year, relationship labels, the percentage of DNA shared with relatives, ancestry reports and self-reported location” for roughly 5.5 million people who opted into the “DNA Relatives” feature, which automatically shares some information with other users automatically. Another 1.4 million users had their “Family Tree information accessed.” This further includes display names, relationship labels, birth year, self-reported location and whether the user decided to share their information.
Just as we reported initially in October, the source of the breach appears to revolve around compromised passwords in an attack method known as “credential stuffing.” In plain terms, hackers “stuff” the credentials from one account into another to gain access. It’s a prime example of the perils that can follow when people reuse passwords. A stolen password from one account can get “stuffed” into another and give the hacker access.
Complicating the attack, and widening its scope immensely, is the DNA Relatives feature mentioned above. Because of the way it shares information between users, one compromised account can divulge the personal and genetic information of many more users – even if their account and password were not compromised in the attack. In this way, a relative handful of compromised accounts affected some 6.9 users.
What steps has 23andMe taken to protect its users? Per the company’s statement on its blog, “If we learn that a customer’s data has been accessed without their authorization, we will notify them directly with more information.” Moreover, the company said, “Our investigation continues and we have engaged the assistance of third-party forensic experts. We are also working with federal law enforcement officials. We are reaching out to our customers to provide an update on the investigation and to encourage them to take additional actions to keep their account and password secure. Out of caution, we are requiring that all customers reset their passwords and are encouraging the use of multi-factor authentication (MFA).” Furthermore, in November, the Company required its users to use MFA to further secure their accounts, which had only been optional until that point.
The three steps every 23andMe user must take right away.
- Change your passwords immediately: Given the attack, 23andMe has forced all its users to reset their passwords. However, changing passwords is not enough. Every password must be strong and unique. For every account. If that sounds like a task, a password manager can help. It creates strong, unique passwords—and stores them securely. This way, you can avoid falling victim to attacks where bad actors try to use passwords stolen from one account to break into another. That’s the beauty of no-repeat passwords.
- Monitor your identity, credit, and transactions: In the wake of any attack where your personal info might be at risk, keep an eye on all things you. Your bank accounts, credit cards, online finances, and your credit rating. Hackers view personal info as a gold mine. Rightly so. With it, they can go on to compromise other accounts or commit other identity crimes. Like file insurance claims or open new lines of credit in your name. Comprehensive online protection software can help you spot unauthorized account activity, changes in your credit report, or if your personal info winds up on the dark web. It saves you hours and hours of effort and it gives you assurance that all’s well with a quick glance.
- Look into identity theft protection: Our Identity Theft & Restoration Coverage can help you set things straight if identity theft happens to you. Licensed recovery experts can take steps to repair your identity and credit. Further, you gain up to $2 million in coverage for lawyer fees, travel expenses, and stolen funds reimbursement. This offers you stronger assurance lifts the time and financial burden of identity theft off your shoulders.
Users should also check the updated 23andMe terms of service for significant changes. In an otherwise murky landscape, the privacy question is this: is the reward worth the risk? If you share that info, are you okay with someone unwanted accessing it? Particularly if the privacy risks are tough to spot. Put simply, less sharing means more privacy. Put careful thought into when and where you share. And with whom.
If you’re a 23andMe user, you can opt out of DNA Relatives by selecting the Manage Preferences option within DNA Relatives or from your Account Settings page. Granted, this will remove your ability to gain deeper genetic insights from other users, yet it will offer additional protection if a similar attack occurs.
On that note, it might be time for a cleanup. A tool like our Online Account Cleanup can help remove your info from online accounts. You’ll find it in our online protection software, along with our Personal Data Cleanup—which helps remove your personal info from risky data broker sites.