The recent panic about hacking at 23andme in the press seems overblown to me. What exactly would someone do with my DNA? There is nothing in there of any monetary value nor do I have health risks that need to be private. Perhaps knowing which celebrities are Jewish or Chinese might be of use to some bad actors. The fact is that those lists are for sale on the dark web. Click here for an interesting article about that.
We have all been advised to guard our online privacy but our DNA is not our social security number nor our credit card so I am not worried about this yet. The hackers were able to use login credentials that were leaked from other sites to access those people’s accounts at 23andme. Then they could see information about other 23andme users whose DNA matched the compromised account. The type of information exposed was ethnicity, other relatives, and family tree information, plus whatever you said about yourself. This does not seem worrisome to me. My actual DNA was not exposed and even if it were, it would take a very DNA savvy hacker to use it to create a fake relative of mine.
Most of the DNA sites are now forcing two factor authentication (2FA) on their users when they log in. That is where a text or an email is sent to you when you log in to be sure it is you. This should prevent “credential stuffing” hacks in the future. If you try to log into 23andme, you will also discover that you must now change your password there. If your relative is deceased and their email of record is no longer available you may be out of luck. Perhaps customer service can help you.
Here is the text of the recent email all my Jewish accounts received:
“Specifically, there was unauthorized access to one or more 23andMe accounts that were connected to you through DNA Relatives. As a result, the DNA Relatives profile information you provided in this feature was exposed to the threat actor.”
The moral of this story is not to use the same passwords on more than one site. Several of my favorite passwords were leaked in various hospital system breaches. Google is kind enough to tell me when I try to log in to a site with a compromised password. My recommendation is to use several passwords which you vary by including a 2 or 3 character indicator of the site name. So for example add “23m” somewhere in your 23 and me password. Most of us have browsers which remember our passwords for us and if they forget, we can use the forgot password link or have the site text us a code. I keep a text file of my passwords with written descriptions of which password used rather than spelling them out. Naturally I use unique, different, and difficult passwords with 2 factor security on sites that access money.
Personally, I am not leaving 23andme although I did change my password there. I am sad that many of the features that I love, like the DNA comparison tools, are temporarily closed down. I look forward to their return once the breach has been understood and dealt with.