The recent panic about hacking at 23andme in the press seems overblown to me. What exactly would someone do with my DNA? There is nothing in there of any monetary value nor do I have health risks that need to be private. Perhaps knowing which celebrities are Jewish or Chinese might be of use to some bad actors. The fact is that those lists are for sale on the dark web. Click here for an interesting article about that.
We have all been advised to guard our online privacy but our DNA is not our social security number nor our credit card so I am not worried about this yet. The hackers were able to use login credentials that were leaked from other sites to access those people’s accounts at 23andme. Then they could see information about other 23andme users whose DNA matched the compromised account. The type of information exposed was ethnicity, other relatives, and family tree information, plus whatever you said about yourself. This does not seem worrisome to me. My actual DNA was not exposed and even if it were, it would take a very DNA savvy hacker to use it to create a fake relative of mine.
Most of the DNA sites are now forcing two factor authentication (2FA) on their users when they log in. That is where a text or an email is sent to you when you log in to be sure it is you. This should prevent “credential stuffing” hacks in the future. If you try to log into 23andme, you will also discover that you must now change your password there. If your relative is deceased and their email of record is no longer available you may be out of luck. Perhaps customer service can help you.
Here is the text of the recent email all my Jewish accounts received:
“Specifically, there was unauthorized access to one or more 23andMe accounts that were connected to you through DNA Relatives. As a result, the DNA Relatives profile information you provided in this feature was exposed to the threat actor.”
The moral of this story is not to use the same passwords on more than one site. Several of my favorite passwords were leaked in various hospital system breaches. Google is kind enough to tell me when I try to log in to a site with a compromised password. My recommendation is to use several passwords which you vary by including a 2 or 3 character indicator of the site name. So for example add “23m” somewhere in your 23 and me password. Most of us have browsers which remember our passwords for us and if they forget, we can use the forgot password link or have the site text us a code. I keep a text file of my passwords with written descriptions of which password used rather than spelling them out. Naturally I use unique, different, and difficult passwords with 2 factor security on sites that access money.
Personally, I am not leaving 23andme although I did change my password there. I am sad that many of the features that I love, like the DNA comparison tools, are temporarily closed down. I look forward to their return once the breach has been understood and dealt with.
Thank you for this post. That was my reaction as well. I did change my password, of course, but I am not understanding the hype.
Thanks, Kitty for your lucid remarks. I have taken the same approach. As a former information security officer your approach to the topic makes absolutely good sense.
Exactly! Are they planning to clone me (because I am awesome so the world needs more of me)? If not, then my genetic info isn’t going to do them much good. The only other thing of note might be my mother’s maiden name, since many sites still have that as one of their security questions, but that’s out there a bunch of other places too, I’m sure.
The only way I can login to 23andme is with Google. I have changed nothing and it is letting me in. what I’m not sure about, and to which 23and me has not responded to me about, is whether I need to change my Google password. Do you know anything about this?
Thank yhou.
I agree that is is all nonsense. I am STILL trying to get the password situation solved at 23 and Me. A major nuisance.
Kitty,
Thank you for taking the time to point out the overblown nature of this so-called “hack”. I am concerned that there is actually another agenda at play here that goes far beyond DNA testing sites. This “event” smells of opportunism at the very least, and possibly more.
This type of thing is nothing new. So many act as if it is, and certainly most people that would behave as the “bad actors” have reportedly done in this 23andMe scenario would never make such a public announcement of their activity. The fact that it was announced at all makes me ponder the source of the initial report. The irony: many people have no problems with cameras on their phones, cameras on their computers, cameras on their neighbors’ homes, cameras on the streets, cameras at stores, microphones on their computers, microphones on their phones, microphones on “smart” TVs, and so on…many of which can be turned on remotely without the owners consent or awareness. So much else could be said, but my point has been made.
I finally chose Google, but then could only get in and still could not see any of the matches I had before. I wrote an email, had a brief reply that didn’t help, and wrote again, only to get a reply after 24 hours, that it would take longer.
Now I can’t access dna for users I administer unless they put my email in and then they can’t see their own results… I am not happy about this
I shudder to think that anyone who understands how DNA works would downplay the severity of this hack.
The severity of the hack was not from the DNA gathering but acquistion of user names and emails, which can be obtained from numerous websites and databases. It wasn’t the DNA they wanted.
https://www.youtube.com/watch?v=KNaZU_oNaGQ
I shudder also. And cringe every time I read this post of Kitty’s. She should not downplay this.
Thank you! I really dislike 2FA. It is a big pain. I should be given the choice of whether to use it. I’ve been on GEDmatch for years, so all that stuff about privacy seems ridiculous.
Thanks for your post, I too don’t understand the hype around the information that was leaked but I do understand that this whole, sad affair was an excellent opportunity for news outlets and social media sites/bloggers/vloggers to get a lot more traffic than usual with their sensational and partially incorrect, clickbait headlines.
Thank you! This is the same as I’ve been saying for years.
For some to state that DNA could be used for blackmail, etc., and provide an example of how quickly a disease was found on one chromosome proves nothing. Why would someone want go to all that trouble to find a genetic disease for someone they don’t know? What does that really prove? Nothing. If someone is going to steal identity, etc, there are much easier means of compromising someone other than genealogy and science.
Most of the Genie internet, for me, 30+ years ago started off with a form of 2FA. You had a username and a password. Although some people used the same username all over. Then sites began accepting your email address and we dropped firmly back to one security factor. 2FA is not new.
In business 25 years ago I had as a second factor a one-time password sent via pager. This is now regarded as top level (without biomarkers). Even my bank account has had 2FA for a few years after people dragged them kicking and screaming to match European-grade security (and our citizen to Government internet system for confidential stuff like taxes).
It’s an extra step. It may be new to you but not to the world.
It can be a pain to get used to, but I did.
However, until 2FA is more widely used, this will unfortunately put one more barrier in the way of people who are not confident to engage with family history websites.
agree with you fully
23andMe is a mess, and I am sorry I every paid for their tests. I have tried several times to get in to see my matches, and no luck. Written and the only thing I got back after 24 hours, is that it will take longer! I hope no more of my cousins test there!