Published on

Hackers stole ancestry data of 6.9 million users, 23andMe finally confirmed

Authors
  • avatar
    Name
    Steve Manning
    Twitter

23andmelogo

Addressing Data Security Concerns

Update: December 1, 2023 3:45 PM PST

23andMe has completed its investigation, assisted by third-party forensics experts. We are in the process of notifying affected customers, as required by law.

We have taken steps to further protect customer data, including requiring all existing customers to reset their password and requiring two-step verification for all new and existing customers. The company will continue to invest in protecting our systems and data.

Updated: November 6, 2023 7:45 AM PST

Starting today, we are requiring all customers to utilize email 2-step verification (2SV) as an added layer of protection for their account. New customers will be automatically enrolled in email 2SV when they create their account. Existing customers who do not already use an authenticator app will also be automatically enrolled in email 2SV, and will receive an email containing their verification code at their next sign-in. You can read more on our blog post.

Update: October 20, 2023 9:35 PM PST

As part of the ongoing security investigation, we have temporarily disabled some features within the DNA Relatives tool as an additional precaution to protect the privacy of our customers.

Update: October 9, 2023 8:25 PM PST

What actions has 23andMe taken?

Our investigation continues and we have engaged the assistance of third-party forensic experts. We are also working with federal law enforcement officials.

We are reaching out to our customers to provide an update on the investigation and to encourage them to take additional actions to keep their account and password secure. Out of caution, we are requiring that all customers reset their passwords and are encouraging the use of multi-factor authentication (MFA).

If we learn that a customer’s data has been accessed without their authorization, we will notify them directly with more information.

Please continue to follow this blog for updates as our investigation continues.

We recently learned that certain 23andMe customer profile information that they opted into sharing through our DNA Relatives feature, was compiled from individual 23andMe.com accounts without the account users’ authorization.

After learning of suspicious activity, we immediately began an investigation. While we are continuing to investigate this matter, we believe threat actors were able to access certain accounts in instances where users recycled login credentials – that is, usernames and passwords that were used on 23andMe.com were the same as those used on other websites that have been previously hacked.

We believe that the threat actor may have then, in violation of our Terms of Service, accessed 23andMe.com accounts without authorization and obtained information from certain accounts, including information about users’ DNA Relatives profiles, to the extent a user opted into that service.

Committed to Safety and Security 23andMe is committed to providing you with a safe and secure place where you can learn about your DNA knowing your privacy is protected. We are continuing to investigate to confirm these preliminary results. We do not have any indication at this time that there has been a data security incident within our systems, or that 23andMe was the source of the account credentials used in these attacks.

At 23andMe, we take security seriously. We exceed industry data protection standards and have achieved three different ISO certifications to demonstrate the strength of our security program. We actively and routinely monitor and audit our systems to ensure that your data is protected. When we receive information through those processes or from other sources claiming customer data has been accessed by unauthorized individuals, we immediately investigate to validate whether this information is accurate. Since 2019 we’ve offered and encouraged users to use multi-factor authentication (MFA), which provides an extra layer of security and can prevent bad actors from accessing an account through recycled passwords.

Recommendations We encourage our customers to take as much action to keep their account and password secure. Out of caution, we recommend taking the following steps:

Confirm you have a strong password, one that is not easy to guess and that is unique to your 23andMe account. If you are not sure whether you have a strong password for your account, reset it by following the steps outlined here. Please be sure to enable multi-factor authentication (MFA) on your 23andMe account. You can enable MFA by following the steps outlined here. Review our Privacy and Security Checkup page with additional information on how to keep your account secure. 23andMe is here to support you. Please contact Customer Care at customercare@23andme.com if you need assistance with navigating these important steps to protect your account.