I have all the major DNA testing companies set to show in a customized Google Alert, and articles and notices about 23andMe continue to pile in this morning. There have been some sensationalist headlines that are clearly click-bait and are incorrect. The Daily Hive started out with "23andMe User Data Leaked." The online news aggregator iTech Post led with "23andMe Confirms Private Data Leaked." With so many outlets using the terms "leaked" or "data breach" I can't really fault Sharon; at least her headline was more accurate than some so-called news sources.
We seem to have reasonable information now that the data was listed for sale on the notorious BreachForums. The alleged founder of BreachForums was arrested in New York in March 2022, but the site still operates on the dark web. BreachForums, like its predecessor RaidForums, seems to be used mainly by independent hackers, not by organized data mining or ransomware rings.
The hacker, listing himself by the username "Golem," posted a for-sale notice that included the description: "DNA profiles of millions, ranging from the world's top business magnates to dynasties often whispered about in conspiracy theories." More than a few news articles have posited, especially with the war fulminating in the Middle East, that the latter phrase meant that individuals of Ashkenazi heritage were specifically and solely targeted, but I've yet to see any viable confirmation of that. Some reports indicate that those of Chinese descent were also targeted.
The method used, as Andreas notes, has nothing at all to do with 23andMe data systems. In fact, 23andMe offers optional multifactor authentication, which they refer to as "2-Step Verification"; any account using that authentication method was not involved in the security issue.
The technique used to access the 23andMe accounts is called "credential stuffing." Essentially, it exploits the fact that many, if not most, people use the same email address and the same password for multiple online registrations. When sites are breached and credential data stolen, it's often either sold or made available outright on the dark web.
Even though almost all websites store your password in a hash format--a random string of characters of a different length than your real password--the fact is that so many passwords are commonly used that hackers can, in some instances, match the hashed password to its normal, keyboard version. In fact, there's even a website that let's you check to see if a password is already known to have been decoded this way: https://haveibeenpwned.com/Passwords (but note that it is by no means a comprehensive listing).
Using email addresses and identifiable passwords obtained from years' of prior data breaches and then using that information to log into a website as someone else is "credential stuffing."
What occurred in the 23andMe incident is not that their systems were breached or that data was leaked, but that the hacker was able to log into the 23andMe website as the actual 23andMe user, and thus had access to everything the user can see, from personal profile information to ethnicity reports to match lists to haplogroup and phenotype information. Note, however, that in order to download your raw DNA data from 23andMe a request first has to be initiated. That then sends a confirming email to you when the download is available, generally within about an hour. So that isn't a simple point-and-click operation that can be easily automated by a credential-stuffing hacker.
The root problem is millions of accounts that use the same email addresses and same passwords that they also use on multiple other websites.
Generally speaking, if you can easily remember a password, it's too weak. Even long ones that use a system of substituting letters in a phrase or name with numerals is too weak. Even passwords you think might be strong and secure may have already been captured and decoded. Here's a random example of one that's 18 characters long: YfDbUfNjH10305070; and another that's 20 characters long: john!20130605at1753.
Too, it's generally the combination of email address and password that becomes vulnerable. Best practice is to never use the same password elsewhere; every password you use should be unique and very strong. But in conjunction with that you should consider minimizing the number of places where you use the same email address.
That sounds more difficult to do than it actually is. There are several services out there (I use one called 33mail) that act as forwarders. These aren't temporary or disposable addresses: they're completely valid email addresses and are as permanent as you want them to be.
With 33mail I use my primary email address as the destination for all mail, set a custom subdomain (for example purposes, call it "mydomain"), and can, on the fly, have as many alias addresses as I like. For example, to register at a website named ACME Products, I might use "acmeproducts@mydomain.33mail.com."
The alias doesn't have to be created in advance; that's done automatically when the first email hits that address. I receive all mail to that address at my primary, along with a two-line header section notifying me from which of my 33mail aliases the mail was forwarded. This has a side benefit, if your email application allows it, to filter the incoming mail into different folders based on the alias address used. It also means that if you only use a particular alias at a single website, should that alias ever start receiving spam or unsolicited mail, you know where it came from and can go change only that one email address at that one website; 33mail gives you the option to discontinue using any alias that was compromised and the inbound email is simply deleted before it ever reaches you.
Multifactor authentication methods can massively improve personal security for websites, but unless I'm using some centralized service like Google Authenticator, I still use different email addresses...and always different passwords.
I've been told more times than I can count that managing unique passwords and unique email accounts is way too much trouble and is overkill. The usual justification I'm given goes something like this: "I've been doing it the way I do it for years and I've never had any problem." I'm sure many 23andMe users felt exactly the same way...at least up until four days ago.
Edited: Minor change for clarity regarding "credential stuffing."