23andMe hacked: Was my ancestry or DNA data impacted?

At least 6.9 million users of 23andMe’s services have had their data accessed by hackers. That number is roughly half of 23andMe’s estimated 14 million user base. The original hack happened in October, but it was not publicly known just how many users were affected until this week.

According to a Securities and Exchange Commission (SEC) filing by 23andMe, the October hack originally accessed “a very small percentage (0.1%) of user accounts” by using compromised usernames and passwords from other sites that were the same as what the users had for their 23andMe accounts.

Though 23andMe did not give an exact number of user accounts that were originally affected, the company says on its website that it has 14 million users, so 0.1% of the total user base equals approximately 14,000 users.

So how did the hack expand from the thousands to affect 6.9 million users?

As The New York Times reports, some of those hacked had opted in to a 23andMe feature called “DNA Relatives,” which allows users to share some of their information with other users who could have similar DNA, suggesting an ancestry connection. The hackers used this sharing connection to gain access to millions of more users’ data—around 5.5 million more. Data from another 1.4 million users participating in the DNA Relatives feature was also accessed via 23andMe’s Family Tree profile information.

Was my data accessed and what do I do if it was?

If you are a 23andMe user who opted in to the DNA Relatives feature, there is a good chance that your data may have been accessed. Data the hackers were able to obtain included “ancestry information” and “health-related information based upon the user’s genetics,” according to the company’s SEC filing. The Times report says that other data—including the user’s display name, when they last logged in to their account, geographic location, year of birth, and any photos they uploaded—may have also been accessed.

If your 23andMe data has been compromised, you’ll get a notification from the company, according to a 23andMe blog post. 23andMe did not give a time frame for when affected users will be notified by. The company will also now require all users to set up two-factor authentication in order to log into their accounts.

Reached for comment by Fast Company, a 23andMe spokesperson said, “Note, we do not have any indication at this time that there has been a data security incident within our systems or that 23andMe was the source of the account credentials used in these attacks. Our investigation indicates threat actors were able to access certain accounts in instances where users recycled login credentials—that is, usernames and passwords that were used on 23andMe.com were the same as those used on other websites that have been previously hacked.”

In a statement to the Times, 23andMe also said, “We have not learned of any reports of inappropriate use of the data after the leak.”

Unfortunately, the statement doesn’t provide any meaningful assurance to those who have had their genetic data stolen that there won’t be inappropriate use of it in the future.

https://www.fastcompany.com/90993015/23andme-hacked-data-breach-dna-what-to-do?partner=rss&utm_source=rss&utm_medium=feed&utm_campaign=rss+fastcompany&utm_content=rss