23andMe users need to doublecheck the state of the personal data shared on the genealogy website after a massive data leak was reported last Friday.
Millions of users’ private data ended up on sale after hackers accessed the data from the company’s website using passwords and usernames that were previously exposed. Only accounts with the relative search feature, which notifies members when a relative match is found, were affected. The stolen information was posted for sale on a forum and included origin estimation, phenotype, health information, photos, identification data, and other personal information, according to Ars Technica. 23andMe said that its investigation found only profile information was taken, and not genetic info.
The post exposing the accounts also states that 23andMe CEO Anne Wojcicki was aware of the data breach two months ago, and the company did not take action. Last Friday, reports emerged of a leaked database that contained information for 1 million users of Ashkenazi descent who had opted in for the DNA relative search feature. A second database, including 300,000 Chinese users, was also found to be stolen.
When reached for comment, 23andMe referred CordCuttersNews to a recent blog post for clarification.
“After learning of suspicious activity, we immediately began an investigation,” said 23andMe in a blog post on October 6. “While we are continuing to investigate this matter, we believe threat actors were able to access certain accounts in instances where users recycled login credentials – that is, usernames and passwords that were used on 23andMe.com were the same as those used on other websites that have been previously hacked.”
23andMe is a company advertising its services as a simple way for members to trace their heritage and discover long-lost relatives.
The exposure of genetic information can have a devastating, long-lasting effect on those affected. The hackers gathered profiles, account ID numbers, display names, gender, birth year, maternal and paternal haplogroups, ancestral heritage results, and data on those who had signed up for 23andMe’s health data. The website also stores basic profile information, including location.
“We take security seriously. We exceed industry data protection standards and have achieved three different ISO certifications to demonstrate the strength of our security program,” said 23andMe. “When we receive information through those processes or from other sources claiming customer data has been accessed by unauthorized individuals, we immediately investigate to validate whether this information is accurate.”
23andMe took the step to reset its users passwords, but members are encouraged to reset their password to one that is unique to their account and enable multi-factor authentication. Users can check out the Privacy and Security Checkup page to find additional information on how to keep accounts secure.