In October, a hacker claimed to have hijacked profile information of “millions” of users from the popular genetic testing site 23andMe.com. Now the company has put a figure to that – some 6.9 million people. Roughly half of 23andMe’s user base.
What’s at risk? Some of the most personal info possible. Per the company’s statement to Techcrunch, this included “the person’s name, birth year, relationship labels, the percentage of DNA shared with relatives, ancestry reports and self-reported location” for roughly 5.5 million people who opted into the “DNA Relatives” feature, which automatically shares some information with other users automatically.
→ Worried about potential ID theft? Get identity protection with McAfee+ today
Another 1.4 million users had their “Family Tree information accessed.” This further includes display names, relationship labels, birth year, self-reported location and whether the user decided to share their information.
Just as we reported initially in October, the source of the breach appears to revolve around compromised passwords in an attack method known as “credential stuffing.” In plain terms, hackers “stuff” the credentials from one account into another to gain access. It’s a prime example of the perils that can follow when people reuse passwords. A stolen password from one account can get “stuffed” into another and give the hacker access.
Complicating the attack, and widening its scope immensely, is the DNA Relatives feature mentioned above. Because of the way it shares information between users, one compromised account can divulge the personal and genetic information of many more users – even if their account and password were not compromised in the attack. In this way, a relative handful of compromised accounts affected some 6.9 users.
What steps has 23andMe taken to protect its users?
Per the company’s statement on its blog, “If we learn that a customer’s data has been accessed without their authorization, we will notify them directly with more information.” Moreover, the company said,
“Our investigation continues and we have engaged the assistance of third-party forensic experts. We are also working with federal law enforcement officials.
We are reaching out to our customers to provide an update on the investigation and to encourage them to take additional actions to keep their account and password secure. Out of caution, we are requiring that all customers reset their passwords and are encouraging the use of multi-factor authentication (MFA).”
Further, in November the company required its users to use MFA to further secure their accounts, which had only been optional until that point.
The three steps every 23andMe user must take right away.
As unsettling as this news may come, 23andMe customers can take the following steps.
- Change your passwords immediately: Given the attack, 23andMe has forced all its users to reset their passwords. However, changing passwords is not enough. Every password must be strong and unique. For every account. If that sounds like a task, a password manager can help. It creates strong, unique passwords—and stores them securely. This way, you can avoid falling victim to attacks where bad actors try to use passwords stolen from one account to break into another. That’s the beauty of no-repeat passwords.
- Monitor your identity, credit, and transactions: In the wake of any attack where your personal info might be at risk, keep an eye on all things you. Your bank accounts, credit cards, online finances, and your credit rating. Hackers view personal info as a gold mine. Rightly so. With it, they can go on to compromise other accounts or commit other identity crimes. Like file insurance claims or open new lines of credit in your name. Comprehensive online protection software can help you spot unauthorized account activity, changes in your credit report, or if your personal info winds up on the dark web. It saves you hours and hours of effort, and it gives you assurance that all’s well with a quick glance.
- Look into identity theft protection: Our Identity Theft & Restoration Coverage can help you set things straight if identity theft happens to you. Licensed recovery experts can take steps to repair your identity and credit. Further, you gain up to $2 million in coverage for lawyer fees, travel expenses, and stolen funds reimbursement. This offers you stronger assurance lifts the time and financial burden of identity theft off your shoulders.
Users should also check the updated 23andMe terms of service for significant changes.
In light of the attack on 23andMe and the sensitive data it exposed, several class action lawsuits have been filed against the company. In a filing with the U.S. Securities and Exchange Commission (SEC), 23andMe stated, “multiple class action claims have been filed against the Company in federal and state court in California and state court in Illinois, as well as in British Columbia and Ontario, Canada, which the Company is defending.”
As reported by Engadget, 23andMe sent users an email in early December notifying them of a change in the company’s terms of service – specific to its Dispute Resolution and Arbitration terms. By default, users now waive their rights to bringing forward class and collective action against the company to the fullest extent allowed by applicable law:
However, concerned users of 23andMe can opt out of these terms, thus allowing them to pursue class and collective action if they see fit. Users need to send written notice of their decision to opt-out by emailing 23andMe at arbitrationoptout@23andme.com. As of this writing the terms as posted are as follows:
Once again, users can refer to Section 5 of 23andMe’s terms of service for full details and to monitor any changes the company makes to those terms.
And for everyone, consider what you share online.
Far and beyond 23andMe users, everyone who goes online should take note of this attack. Which is pretty much all of us. It makes one of the strongest cases for strong, unique passwords—and for limiting the info you share online. In this case, even a secure password was no help in protecting the personal info of millions of people.
If you’re a 23andMe user, you can opt out of DNA Relatives by selecting the Manage Preferences option within DNA Relatives or from your Account Settings page. Granted, this will remove your ability to gain deeper genetic insights from other users, yet it will offer additional protection if a similar attack occurs.
For all of us, sharing and storing personal info is a fact of life online. The more you share and store online, the more risk you take on. And you have some control over that.
Consider what you’re sharing, who you’re sharing it with, what they do with that info, who they share it with, and in what form and circumstances. Yes, that’s a lot to consider. Complicating that yet more, many of the sites, services, and apps we use don’t make it easy to answer those questions. Terms of service and data policies rarely make for light and understandable reading.
Luckily, you can turn to trustworthy resources to get answers. The Common Sense Privacy Program evaluates privacy policies with K-12 students in mind. The Mozilla Foundation’s Privacy Not Included website scores apps and connected devices for privacy, including apps, smart home devices, and cars.
In an otherwise murky landscape, the privacy question is this: is the reward worth the risk? If you share that info, are you okay with someone unwanted accessing it? Particularly if the privacy risks are tough to spot.
Put simply, less sharing means more privacy. Put careful thought into when and where you share. And with whom.
Shut down your old accounts for yet more privacy and security.
On that note, it might be time for a cleanup.
We’ve logged into all kinds of things over the years. Many of which we don’t log into anymore. And others we’ve completely forgotten about. Across these forums, sites, and stores, you’ll find your personal info to some degree or other. If one of those sites gets compromised, your personal info stored there might get compromised too. That gives you a solid reason to delete those old accounts.
A tool like our Online Account Cleanup can help remove your info from online accounts. You’ll find it in our online protection software, along with our Personal Data Cleanup—which helps remove your personal info from risky data broker sites. It shows you where your personal info was found, and what data the sites have. Depending on your plan, it can help clean it up.
The 23andMe compromised data—a wakeup call for all of us.
With 6.9 million people affected by the 23andMe attack, it reinforces a big lesson: strong, unique passwords are an absolute must. And the stakes for online privacy have never been higher.
Today we entrust the internet with so much, which increasingly includes our heath and wellness info, not to mention genetic info with services like 23andMe. Taking the steps outlined here can help protect yourself from invasions of privacy and the loss of personal info. And as we’ve seen, protect others too. Consider them whether you’re a 23andMe customer or not.
Stay Updated
Follow us to stay updated on all things McAfee and on top of the latest consumer and mobile security threats.
