Everything You Need To Know About The 23andMe Data Breach
Latest Posts
Table of Contents
Everything You Need To Know About The 23andMe Data Breach
Date of Content: November 25, 2023
Written by: Avanthika Nityanand
Reviewed by: Maarit Tiirikainen, PhD
In early October, a significant security incident was reported involving 23andMe. A hacker claimed to be selling account information from the service. This compromised data purportedly included details of approximately one million users of Ashkenazi Jewish descent and an additional 100,000 users of Chinese descent. As the situation developed, by mid-October, it was revealed that around four million more accounts of a general user base were also affected.
The breached data encompasses information such as display names, birth years, sex, and certain aspects of genetic ancestry results. However, it is important to note that the actual genetic data was not part of this breach.
In this article, we attempt to inform both affected and unaffected users on the best recourse and how you can secure your personal information in the future.
What Happened And How?
23andMe recently disclosed details about a data breach through a blog post. The company identified “credential stuffing” as the method of attack. This technique involves exploiting previously leaked usernames and passwords from other data breaches, operating under the assumption that many users recycle their passwords across different platforms.
The initial signs of this breach were somewhat obscure. In August, a hacker claimed on a forum to have accessed a staggering 300 terabytes of 23andMe user data. This claim initially didn’t garner much attention. However, by early October, the situation escalated when a sample of the data was posted on a different forum. This sample allegedly contained information on 1 million individuals of Ashkenazi Jewish descent, according to a statement given to The Washington Post by a 23andMe representative.
Subsequently, claims surfaced regarding the breach of data on 100,000 Chinese users. On October 18, the situation worsened when a post on the same forum claimed to have data on an additional 4.1 million users, reportedly including wealthy individuals from the U.S. and Western Europe.
23andMe suggests that the attackers may have exploited the “DNA Relatives” feature. This optional service allows users to connect with potential relatives on the platform by sharing their data. The attackers seemingly used successful login credentials to scrape information from the accounts, including data shared through the DNA Relatives feature.
What Is Credential Stuffing And Why Do Hackers Use It?
Credential stuffing is a type of cyber attack where hackers use stolen account credentials (usernames and passwords) obtained from a data breach at one service and try them on other services. This method exploits the common practice of people using the same password across multiple sites and accounts.
Here’s a breakdown of why hackers use this method:
- High Success Rate Due to Common Reuse of Passwords: Many people use the same password for multiple accounts. This habit increases the likelihood that a username and password combination obtained from one breach will work on other sites.
- Automated and Efficient: Hackers use automated tools to test stolen credentials at scale across many websites and services. These tools can try thousands of username and password combinations on numerous sites in a short time.
- Access to Valuable Data: Successful credential stuffing can give hackers access to a wealth of personal information, including financial data, personal identifiers, and other sensitive information, which can be used for identity theft, financial fraud, or sold on the dark web.
- Low Barrier to Entry: The tools and stolen credentials needed for credential stuffing are readily available on the dark web, making it relatively easy for even less-skilled hackers to execute these attacks.
- Difficult to Detect: Since credential stuffing uses valid login credentials, these attacks can sometimes bypass standard security measures and are harder to detect compared to brute force attacks, where random combinations are tried.
A simple way to protect your data from credential stuffing is to use unique passwords for each of your online accounts. Only sign up for websites of organizations or companies that implement security measures such as multi-factor authentication, monitoring login attempts, and educating users about safe password practices.
How To Protect Your 23andMe Account?
In the wake of the recent data breach at 23andMe, if you are concerned that your data might be included in the stolen dataset, immediate action is essential.
While it’s impossible to retrieve the compromised data or verify if your details are part of the breach, you can enhance your account’s security to prevent future issues.
Here’s what you can do:
- Change Your Password: 23andMe now mandates all users to update their passwords. Ensure your new password is unique and strong. Using a password manager can simplify this process and also help you track if your passwords have been part of any breach. Remember, each site should have a different password.
- Enable Two-Factor Authentication (2FA): Activate 2FA on your 23andMe account. This adds an extra layer of security, requiring not only your username and password but also a code from a 2FA app (like Authy or Google Authenticator) to access your account. Follow the instructions provided by 23andMe to set this up.
- Review Your Display Name in DNA Relatives: Consider changing your display name to just your initials, or if you don’t actively use the DNA Relatives feature, think about disabling it altogether.
While these measures might not fully shield you from all potential privacy concerns, they significantly enhance your account’s security against known threats and vulnerabilities.
Deleting Your 23andMe Raw Data
Your genetic data is one of your most private information. While having your genetic data has numerous benefits, it comes with some drawbacks, with data security being one of the biggest.
While this recent data breach did not reveal your actual genetic data, if you are concerned about the safety of your 23andme raw data, one of the best things to do is to delete it from your account. But don’t forget to download the information first! Here is how you can do that.
Other Data Breaches
Data breaches are unfortunately not uncommon in the digital age, and companies that handle sensitive personal information, including genetic data, have been targets in the past. Prior to the 2023 23andMe incident, there have been other notable breaches involving genetic testing and personal health information companies.
For instance, in 2018, MyHeritage, a DNA testing and ancestry service company, experienced a breach that affected over 92 million user accounts. The compromised data included email addresses and hashed passwords. Similarly, in 2019, it was reported that Veritas Genetics, a DNA testing company, experienced a data breach where a customer-facing portal was accessed by an unauthorized user.
These incidents, along with the 23andMe breach, underscore the cybersecurity risks that come with storing and managing large amounts of sensitive personal data. They highlight the importance of robust security measures and the ongoing challenge of protecting against sophisticated cyber attacks.
How Does LifeDNA Protect Your DNA Data?
At LifeDNA we have never had a data breach or any loss of customer privacy or information. We are proud of this and constantly update our security measures to match our own high standards.
We have implemented measures designed to secure your personal information from accidental loss and from unauthorized access, use, alteration, and disclosure. All information you provide to us is stored on our secure servers behind firewalls. Any payment transactions will be encrypted using SSL technology.
We encourage all our users and potential users to watch the video below from Jeremiah Grossman, Security Adviser at LifeDNA.
References
- https://www.bloomberg.com/news/articles/2019-11-06/breach-at-dna-test-firm-veritas-exposed-customer-information
- https://www.washingtonpost.com/news/the-switch/wp/2018/06/05/ancestry-service-myheritage-says-92-million-customer-email-addresses-were-exposed/
- https://blog.23andme.com/articles/enhanced-customer-security-at-23andme-with-2-step-verification
- https://www.imperva.com/learn/application-security/credential-stuffing/
- https://www.cshub.com/attacks/news/23andme-hacker-leaks-data
- https://www.washingtonpost.com/technology/2023/10/06/23andme-hacked-data/
- https://www.wired.com/story/23andme-credential-stuffing-data-stolen/
Customer Reviews
* LifeDNA is not associated with the above company.
*Understanding your genetics can offer valuable insights into your well-being, but it is not deterministic. Your traits can be influenced by the complex interplay involving nature, lifestyle, family history, and others.
Our reports have not been evaluated by the Food and Drug Administration. The contents on our website and our reports are for informational purposes only, and are not intended to diagnose any medical condition, replace the advice of a healthcare professional, or provide any medical advice, diagnosis, or treatment. Consult with a healthcare professional before making any major lifestyle changes or if you have any other concerns about your results. The testimonials featured may have used more than one LifeDNA or LifeDNA vendors’ product or reports.
