23andMe Data Security Issue - Oct 2023

Question

If you're a 23andMe user who hasn't already seen this elsewhere, 23andMe had a data leak. The breach doesn't seem to have been within their own servers; the hacker accessed the site using passwords from other sites that users had reused at 23andMe.

Comments

I just received a notice when logging into 23andMe this morning that all passwords have been reset.

Answer 1

I have all the major DNA testing companies set to show in a customized Google Alert, and articles and notices about 23andMe continue to pile in this morning. There have been some sensationalist headlines that are clearly click-bait and are incorrect. The Daily Hive started out with "23andMe User Data Leaked." The online news aggregator iTech Post led with "23andMe Confirms Private Data Leaked." With so many outlets using the terms "leaked" or "data breach" I can't really fault Sharon; at least her headline was more accurate than some so-called news sources. 

We seem to have reasonable information now that the data was listed for sale on the notorious BreachForums. The alleged founder of BreachForums was arrested in New York in March 2022, but the site still operates on the dark web. BreachForums, like its predecessor RaidForums, seems to be used mainly by independent hackers, not by organized data mining or ransomware rings.

The hacker, listing himself by the username "Golem," posted a for-sale notice that included the description: "DNA profiles of millions, ranging from the world's top business magnates to dynasties often whispered about in conspiracy theories." More than a few news articles have posited, especially with the war fulminating in the Middle East, that the latter phrase meant that individuals of Ashkenazi heritage were specifically and solely targeted, but I've yet to see any viable confirmation of that. Some reports indicate that those of Chinese descent were also targeted.

The method used, as Andreas notes, has nothing at all to do with 23andMe data systems. In fact, 23andMe offers optional multifactor authentication, which they refer to as "2-Step Verification"; any account using that authentication method was not involved in the security issue.

The technique used to access the 23andMe accounts is called "credential stuffing." Essentially, it exploits the fact that many, if not most, people use the same email address and the same password for multiple online registrations. When sites are breached and credential data stolen, it's often either sold or made available outright on the dark web.

Even though almost all websites store your password in a hash format--a random string of characters of a different length than your real password--the fact is that so many passwords are commonly used that hackers can, in some instances, match the hashed password to its normal, keyboard version. In fact, there's even a website that let's you check to see if a password is already known to have been decoded this way: https://haveibeenpwned.com/Passwords (but note that it is by no means a comprehensive listing).

Using email addresses and identifiable passwords obtained from years' of prior data breaches and then using that information to log into a website as someone else is "credential stuffing."

What occurred in the 23andMe incident is not that their systems were breached or that data was leaked, but that the hacker was able to log into the 23andMe website as the actual 23andMe user, and thus had access to everything the user can see, from personal profile information to ethnicity reports to match lists to haplogroup and phenotype information. Note, however, that in order to download your raw DNA data from 23andMe a request first has to be initiated. That then sends a confirming email to you when the download is available, generally within about an hour. So that isn't a simple point-and-click operation that can be easily automated by a credential-stuffing hacker.

The root problem is millions of accounts that use the same email addresses and same passwords that they also use on multiple other websites.

Generally speaking, if you can easily remember a password, it's too weak. Even long ones that use a system of substituting letters in a phrase or name with numerals is too weak. Even passwords you think might be strong and secure may have already been captured and decoded. Here's a random example of one that's 18 characters long: YfDbUfNjH10305070; and another that's 20 characters long: john!20130605at1753.

Too, it's generally the combination of email address and password that becomes vulnerable. Best practice is to never use the same password elsewhere; every password you use should be unique and very strong. But in conjunction with that you should consider minimizing the number of places where you use the same email address.

That sounds more difficult to do than it actually is. There are several services out there (I use one called 33mail) that act as forwarders. These aren't temporary or disposable addresses: they're completely valid email addresses and are as permanent as you want them to be.

With 33mail I use my primary email address as the destination for all mail, set a custom subdomain (for example purposes, call it "mydomain"), and can, on the fly, have as many alias addresses as I like. For example, to register at a website named ACME Products, I might use "acmeproducts@mydomain.33mail.com."

The alias doesn't have to be created in advance; that's done automatically when the first email hits that address. I receive all mail to that address at my primary, along with a two-line header section notifying me from which of my 33mail aliases the mail was forwarded. This has a side benefit, if your email application allows it, to filter the incoming mail into different folders based on the alias address used. It also means that if you only use a particular alias at a single website, should that alias ever start receiving spam or unsolicited mail, you know where it came from and can go change only that one email address at that one website; 33mail gives you the option to discontinue using any alias that was compromised and the inbound email is simply deleted before it ever reaches you.

Multifactor authentication methods can massively improve personal security for websites, but unless I'm using some centralized service like Google Authenticator, I still use different email addresses...and always different passwords.

I've been told more times than I can count that managing unique passwords and unique email accounts is way too much trouble and is overkill. The usual justification I'm given goes something like this: "I've been doing it the way I do it for years and I've never had any problem." I'm sure many 23andMe users felt exactly the same way...at least up until four days ago.

Edited: Minor change for clarity regarding "credential stuffing."

Comments

Thanks for the "best answer" star, Andreas.

And while not unsurprising, though no less ridiculous, news surfaced yesterday that two individuals had already filed a proposed federal class action lawsuit against 23andMe in the U.S. District Court of Northern California. I won't name any names but the civil docket number for the case is 3:23-cv-05147 if anyone wants to look it up or follow the case (this is information in the public record). 

The suit alleges that 23andMe maintained the defendants' personal information in a reckless manner and failed to use reasonable and adequate measures to keep their data safe.

To be clear, all that was required to file the lawsuit was minimal paperwork and a $402 filing fee. It's astonishingly easy to file most civil lawsuits in the U.S.

My prediction, however, is that this effort will go absolutely nowhere because there was no failure or omission on the part of 23andMe. There was no data access backdoor exploited or IT systems breached.

To pile on the ridiculousness, the suit also alleges that 23andMe failed to provide prompt and adequate notice of the incident. The company had no way to know any data had been inappropriately accessed until it learned information was for sale on the dark web. It posted notification on the 23andMe website less than 24 hours--probably less than 12 hours--after learning this. Likewise, since the data was obtained by log-ins that used the users' correct email addresses and passwords (and the accesses were no doubt generated from rotating, randomized IP addresses via proxy servers), 23andMe had no way to know whose personal information may have been obtained. For example, there's really no IT flag that could be raised only because it seemed Mark Zuckerberg (an actual 23andMe customer) logged in from, say, New York rather than California.

What I probably should have made clear in my answer is that, for anyone who uses the same email address and password for multiple websites, this should be a call to be proactive. If you use the same credentials at 23andMe, Ancestry, Family Tree DNA, MyHeritage, WikiTree, FamilySearch, even your local electricity provider, and if you aren't using a form of multi-factor authentication for any given website then your credentials are potentially at risk.

If I had to guess, I'd wager that over half the people who have taken a DNA test at both 23andMe and AncestryDNA use the same email address and password for both accounts. And if account information was obtained from 23andMe in this event, then it would be a simple matter of the hacker repeating the process at AncestryDNA because the email/password combination had already been exposed previously from some other data breach that might have happened years ago.

1. If you use the same email/password combination for multiple websites, make a plan and start changing all those passwords to something unique--one website, one unique password--and something strong (the longer the better; a mix of numbers, symbols, and both upper- and lower-case letters; no ties to your personal information; no dictionary words; if you can easily remember it, it's probably too weak).
2. Enable multi-factor authentication (often abbreviated as 2FA for "two-factor authentication") whenever it's offered. Not all multi-factor authentication methods are created equal: some are more robust than others. These will range from having a PIN in addition to your password; to receiving a limited- and one-time use PIN to your email address or via SMS text message to your phone; to using a third-party application like Google Authenticator or Microsoft Authenticator. To reiterate, 23andMe offers 2FA using Google Authenticator and it's almost a certainty that no accounts using that sign-in method were involved in this data incident.
3. Consider an email forwarding service like 33mail, SimpleLogin, or Firefox Relay to allow you easily to use different email addresses for your website registrations. Not only can this be a spam control and mail filtering measure, but your log-in credentials are almost always tied to an email address. When looking for a service, the main thing I would advise is to avoid those that offer disposable accounts. These are typically time-limited email addresses that stay active only for a matter of hours and then vanish. You'll want a service that offers a true forwarding service so that the unique email addresses are as permanent as you want them to be. Some limited levels of service are often free, but the good ones will have a small fee (in general, these will range from around $20 to $60 per year).

---

Thank you Edison for your always appropriate and helpful advise.  I am old and my emails and passwords are different names I have used throughout life.  Currently, I have about 50 different ones which of course I do not remember. So, I need to list them which is beside my computer. Should anyone break into my house my passwords are readily available. I really limit the sites that I use and they are basically the same 15 or so websites. If I need to go through what you suggest, although most appropriate, I will give up using the internet.  Your knowledge and insight is most welcomed.

---

Julia, there are excellent tools available to keep track of your various passwords at websites. Eg. Google (via their Chrome Browser) and Apple (via their mobile/tables/computer systems and Safari browser) have built-in systems to securely keep track of your identifier/password combinations for websites.

I personally use the free Bitwarden tool (not affiliated with them), as I can additionally store credit card/bank information and other very important information securely in the app.

Here's also a link to an article from UC Santa Barbara with 7 tips for best practice on password safety.

Answer 2

Sorry, it's not a data leak and quite frankly 23andMe doesn't have a security issue!

If that would be the case, then Facebook, Google, WikiTree and other websites where these people used the same password would have a "security issue" as well.

We should be very careful what we publish and do our research first. It's clear (as it was reported by serious news outlets like Reuters) that no data breach happened.

Instead some bad actors used email/password combinations they most likely got from another source, either a phishing attack but could also be from the previously recorded data breach at GEDmatch (see this official post from the back then owner of GEDmatch: https://verogen.com/gedmatch-incident-response/).

Here is 23andMe's official statement: https://blog.23andme.com/articles/addressing-data-security-concerns

I quote from their statement:

"While we are continuing to investigate this matter, we believe threat actors were able to access certain accounts in instances where users recycled login credentials – that is, usernames and passwords that were used on 23andMe.com were the same as those used on other websites that have been previously hacked.

We believe that the threat actor may have then, in violation of our Terms of Service, accessed 23andMe.com accounts without authorization and obtained information from certain accounts, including information about users’ DNA Relatives profiles, to the extent a user opted into that service. "

Disclaimer: I'm not affiliated with 23andMe, nor with GEDmatch.

PS: I flagged this post due to the misinformation it contains and because WikiTree is responsible for the content that is posted in its forum (see also https://www.anthonycollins.com/insights/ebriefings/can-you-be-liable-for-others-posting-on-your-social-media/). Unfortunately there was no category for misinformation, hence I had to select spam/vandalism, though that's surely not the intent of the original poster.

Comments

Thank you for the clarification. The G2G Moderators have cleared the flag.

---

Well, I'd appreciate if the Moderator would also comment here why he/she removed the flag (wrong flag, then please create one for misinformation).

It's still incorrect and misinformation (even if that wasn't the intention of the OP), which hurts a publicly traded company and it will hurt our ability to find close relatives that are willing to do a DNA test, even if we pay for it.

Many users read only the headline (like I did in my digest) and might not have the time to fully inform themselves by checking the relevant sources (eg. 23andMe's own blog post like I posted).

@Sharon, could you please edit your headline and G2G post? Thanks

---

Andreas, we have no flag for suggested misinformation, and as you recognise, this question was not spam or vandalism. That is why the flag was removed. If you want to propose a flag for suggested misinformation, it would mean a change to WikiTree's Discussion Rules, and hence it would mean a WikiTree rule change, and it will be necessary to suggest this in a separate independent question, which can then be debated by the WikiTree community. Please see https://www.wikitree.com/wiki/Help:Developing_New_Rules for more information.

Further discussion of the possibility of a rule change of this kind would be off topic in this G2G conversation (see Discussion Rule 1).

---

Thank you Michael for the clarification and I didn't know that you were a Mod as you didn't identify yourself as such.

Will follow up on the links you provided when I have a bit more time but they are highly appreciated!

Answer 3

23@me just sent out the following email:

Dear ...,

We want to provide you with an important update and recommended actions.

What happened?
We recently learned that certain profile information – which a customer creates and chooses to share with their genetic relatives in the DNA Relatives feature – was accessed from individual 23andMe.com accounts. This was done without the account users’ authorization. We do not have any indication at this time that there has been a data security incident within our systems, or that 23andMe was the source of the account credentials used in these attacks.

While our investigation is ongoing, at this time we believe the threat actor was able to access certain accounts in instances where users employed identical login credentials - that is, usernames and passwords that were used on 23andMe.com were the same as those used on other websites that had been previously compromised or otherwise available.

If we learn that your data has been accessed without your authorization, we will contact you separately with more information.

What is 23andMe doing about this?
After learning of suspicious activity, we immediately began an investigation and engaged the assistance of third-party forensic experts and notified law enforcement. Out of caution, we are also requiring that all customers reset their passwords.

Security and privacy are the highest priorities at 23andMe. We exceed industry data protection standards and have achieved three different ISO certifications to demonstrate the strength of our security program. We actively and routinely monitor and audit our systems to ensure that your data is protected. When we receive information through those processes or from other sources claiming customer data has been accessed by unauthorized individuals, we immediately investigate to validate whether this information is accurate. Beginning in 2019, we’ve offered and encouraged users to use multi-factor authentication (MFA), which provides an extra layer of security and can prevent bad actors from accessing an account through recycled passwords.

What can you do today?
We further encourage you to take additional action to keep your account and password secure. This includes the following steps:

• When you reset your password, confirm it is not easy to guess and not used for other accounts, meaning it’s unique to your 23andMe account. Reset password here.
• Be sure to enable multi-factor authentification (MFA) on your 23andMe account: Adding 2-Step Verification To Your 23andMe Account.
• If you log in to 23andMe using your Google or Apple single sign-on, you will not be prompted for a password change, but we recommend you protect your Google or Apple account with MFA.

 

23andMe is here to support you. Please contact Customer Care at customercare@23andme.com if you need assistance. You can refer to our blog post for future updates.

The 23andMe Team