23andMe, a popular genetic testing service that offers insights into ancestry and health, has confirmed that hackers accessed personal information of nearly 7 million users in a recent data breach. The breach, which occurred in October 2023, exposed users’ names, years of birth, and general descriptions of genetic data, such as ethnicity estimates and DNA relatives matches. The company said that no financial information, passwords, or raw genetic data were compromised.
How did the breach happen?
According to 23andMe, its systems were not breached. Instead, it said, the data theft was likely due to people reusing passwords on their 23andMe accounts that were exposed in past breaches and then used to access their accounts. This is a common technique known as “credential stuffing”, where hackers use automated tools to try out stolen usernames and passwords on different websites. If you need some motivation to stop recycling passwords, this is it.
What are the implications of the breach?
The breach raises serious concerns about the privacy and security of genetic data, which is highly sensitive and personal. Genetic data can reveal information not only about the individual who submitted the sample, but also about their relatives, even if they did not consent to any data collection. Their data is inevitably intertwined. For example, hackers could use the DNA relatives matches function of 23andMe to get information about thousands of other people who share part of their genetic code with the compromised users.
Moreover, genetic data can be used for various purposes, such as identifying people, inferring health risks, predicting traits, and even creating synthetic DNA. Hackers could potentially sell, manipulate, or misuse the stolen data for malicious or unethical ends. The breach also exposes the vulnerabilities of the interconnected data ecosystem, where data collected by one company can affect the privacy and security of others.
What can users do to protect themselves?
23andMe has notified the affected users and advised them to change their passwords and enable two-factor authentication on their accounts. The company also said that it has taken steps to enhance its security measures and prevent further unauthorized access. Users should also review their privacy settings and opt out of sharing their data with third-party partners or research projects if they wish.
Additionally, users should be careful about reusing passwords across different websites and services, and use a password manager to generate and store strong and unique passwords. They should also monitor their accounts for any suspicious activity and report any incidents to the company and the authorities.
The 23andMe data breach is one of the largest and most serious breaches of genetic data in history. It highlights the risks and challenges of protecting and managing such data in the digital age. Users should be aware of the potential consequences of sharing their genetic data with any company or entity, and take steps to safeguard their privacy and security.