Much Ado About DNA Hacking

The recent panic about hacking at 23andme in the press seems overblown to me. What exactly would someone do with my DNA? There is nothing in there of any monetary value nor do I have health risks that need to be private. Perhaps knowing which celebrities are Jewish or Chinese might be of use to some bad actors. The fact is that those lists are for sale on the dark web. Click here for an interesting article about that.
We have all been advised to guard our online privacy but our DNA is not our social security number nor our credit card so I am not worried about this yet. The hackers were able to use login credentials that were leaked from other sites to access those people’s accounts at 23andme. Then they could see information about other 23andme users whose DNA matched the compromised account. The type of information exposed was ethnicity, other relatives, and family tree information, plus whatever you said about yourself. This does not seem worrisome to me. My actual DNA was not exposed and even if it were, it would take a very DNA savvy hacker to use it to create a fake relative of mine.

Most of the DNA sites are now forcing two factor authentication (2FA) on their users when they log in. That is where a text or an email is sent to you when you log in to be sure it is you. This should prevent “credential stuffing” hacks in the future. If you try to log into 23andme, you will also discover that you must now change your password there. If your relative is deceased and their email of record is no longer available you may be out of luck. Perhaps customer service can help you.

Here is the text of the recent email all my Jewish accounts received:

“Specifically, there was unauthorized access to one or more 23andMe accounts that were connected to you through DNA Relatives. As a result, the DNA Relatives profile information you provided in this feature was exposed to the threat actor.”

The moral of this story is not to use the same passwords on more than one site. Several of my favorite passwords were leaked in various hospital system breaches. Google is kind enough to tell me when I try to log in to a site with a compromised password. My recommendation is to use several passwords which you vary by including a 2 or 3 character indicator of the site name.  So for example add “23m” somewhere in your 23 and me password. Most of us have browsers which remember our passwords for us and if they forget, we can use the forgot password link or have the site text us a code. I keep a text file of my passwords with written descriptions of which password used rather than spelling them out. Naturally I use unique, different, and difficult passwords with 2 factor security on sites that access money.

Personally, I am not leaving 23andme although I did change my password there. I am sad that many of the features that I love, like the DNA comparison tools, are temporarily closed down. I look forward to their return once the breach has been understood and dealt with.


12 thoughts on “Much Ado About DNA Hacking

Click here to add your thoughts at the end of the comments
  1. Thank you for this post. That was my reaction as well. I did change my password, of course, but I am not understanding the hype.

  2. Thanks, Kitty for your lucid remarks. I have taken the same approach. As a former information security officer your approach to the topic makes absolutely good sense.

  3. Exactly! Are they planning to clone me (because I am awesome so the world needs more of me)? If not, then my genetic info isn’t going to do them much good. The only other thing of note might be my mother’s maiden name, since many sites still have that as one of their security questions, but that’s out there a bunch of other places too, I’m sure.

  4. The only way I can login to 23andme is with Google. I have changed nothing and it is letting me in. what I’m not sure about, and to which 23and me has not responded to me about, is whether I need to change my Google password. Do you know anything about this?

  5. Thank yhou.
    I agree that is is all nonsense. I am STILL trying to get the password situation solved at 23 and Me. A major nuisance.

  6. Now I can’t access dna for users I administer unless they put my email in and then they can’t see their own results… I am not happy about this

  7. Thank you! I really dislike 2FA. It is a big pain. I should be given the choice of whether to use it. I’ve been on GEDmatch for years, so all that stuff about privacy seems ridiculous.

  8. Thanks for your post, I too don’t understand the hype around the information that was leaked but I do understand that this whole, sad affair was an excellent opportunity for news outlets and social media sites/bloggers/vloggers to get a lot more traffic than usual with their sensational and partially incorrect, clickbait headlines.

  9. Thank you! This is the same as I’ve been saying for years.

    For some to state that DNA could be used for blackmail, etc., and provide an example of how quickly a disease was found on one chromosome proves nothing. Why would someone want go to all that trouble to find a genetic disease for someone they don’t know? What does that really prove? Nothing. If someone is going to steal identity, etc, there are much easier means of compromising someone other than genealogy and science.

  10. Most of the Genie internet, for me, 30+ years ago started off with a form of 2FA. You had a username and a password. Although some people used the same username all over. Then sites began accepting your email address and we dropped firmly back to one security factor. 2FA is not new.
    In business 25 years ago I had as a second factor a one-time password sent via pager. This is now regarded as top level (without biomarkers). Even my bank account has had 2FA for a few years after people dragged them kicking and screaming to match European-grade security (and our citizen to Government internet system for confidential stuff like taxes).
    It’s an extra step. It may be new to you but not to the world.
    It can be a pain to get used to, but I did.
    However, until 2FA is more widely used, this will unfortunately put one more barrier in the way of people who are not confident to engage with family history websites.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.