Genetic testing company 23andMe denies data hack, disables DNA Relatives feature

Genetic testing company 23andMe has temporarily disabled certain features of  DNA Relatives, an optional sub service that allows users to share ancestry information with users worldwide amidst reports of a data breach earlier this month. 

23andMe was recently made aware that an outside entity stole information users had voluntarily disclosed while using the DNA Relatives feature, according to a statement on the company’s website. 

The information, gathered from individual 23andMe accounts was obtained without the user’s permission. 

“We believe threat actors were able to access certain accounts in instances where users recycled login credentials – that is, usernames and passwords that were used on 23andMe.com were the same as those used on other websites that have been previously hacked,” 23andMe wrote on their website. 

Using stolen usernames and passwords to gain unauthorized access to multiple accounts is a cyberattack technique is known as credential stuffing. Its one of the reasons why cybersecurity experts recommend against using the same password for different sites, according to Reuters. 

The company is still investigating the origins of the security violation, but their findings thus far do not point to a breach, a data security incident, or that 23andMe was the source of the account credentials used in these attacks, a 23andMe representative shared with USA Today.  

Here’s what we know. 

Was every 23andMe customer impacted?

Not every 23andMe customer was impacted by the data breach, but its unclear how many registered users were targeted by hackers. 

23andMe previously told Reuters that while an “unspecified amount of customer profile information had been compiled, the company itself had not been breached.” 

Third-party forensic experts and federal law enforcement have been called in to assist the company with the investigation, 23andMe reported. 

A numbers of customers were contacted Tuesday with additional details from 23andMe about the information that was taken, according to social media posts from registered users. The total number of customers contacted is unknown. 

“We are reaching out to our customers to provide an update on the investigation and to encourage them to take additional actions to keep their account and password secure. Out of caution, we are requiring that all customers reset their passwords and are encouraging the use of multi-factor authentication (MFA). If we learn that a customer’s data has been accessed without their authorization, we will notify them directly with more information,” according to 23andMe. 

ICYMI:How long before a phone is outdated? Here's how to find your smartphone's expiration date

What kind of personal information may have been compromised?

DNA Relatives is an optional 23andMe service, but some of the information you are required to provide is not.  The best way to ensure complete privacy is to opt out of the feature completely, the 23andMe website states.  

Ancestry reports and matching DNA segments, your location, ancestor birth locations and family names, profile picture, birth year, family tree, or details in your introduction are all optional fields. 

Your display name, login activity, relationship labels, your predicted relationship and the percentage of DNA shared with your matches are all mandatory fields. 

Out of an abundance of caution,  23andMe has advised customers to make their account as secure as possible. 

• Confirm you have a strong password, one that is not easy to guess and that is unique to your 23andMe account. If you are not sure whether you have a strong password for your account, reset it by following the steps outlined here. 
• Be sure to enable multi-factor authentication (MFA) on your 23andMe account. You can enable MFA by following the steps outlined here.
• Review 23andMe's Privacy and Security Checkup page with additional information on how to keep your account secure.

Customers have been asked to contact Customer Care at customercare@23andme.com with any further inquiries. 

More:How does Google passkey work? Kiss your passwords goodbye with this new tool