I’m a fan of 23andMe. Which is to say, I appreciated the cost and speed with which they provided data about my own genetic makeup. It meant a lot to me and my family. I wrote about that in my comic which talks about my background.
But it’s no fun to get an email about a data breach, as I did today.
23andMe, Inc. (“23andMe”) takes the privacy and confidentiality of your information very seriously. We are writing to update you regarding an incident involving the personal information you made available through 23andMe’s optional DNA Relatives feature, further described below. Based upon our investigation of this incident, we believe only the profile information that you chose to share through our DNA Relatives feature was involved. There is no evidence that your 23andMe account, or any other information in
your account was accessed in this incident.
What information was involved?
Our investigation determined that a threat actor accessed certain information about your ancestry that you chose to share in our DNA Relatives feature, specifically, your DNA Relatives display name, how recently you logged into your account, your relationship labels, and your predicted relationship and percentage DNA shared with the credential stuffed account holder through which your information was accessed. The following information may have also been accessed by the threat actor if you chose to share this information through the DNA Relatives feature: your ancestry reports and matching DNA segments (specifically where on your chromosomes you and your relative had matching DNA),
self-reported location (city/zip code), ancestor birth locations and family names, profile picture, birth year, a weblink to a family tree you created, and anything else you may have included in the “Introduce yourself” section of your profile.
On October 1, 2023, a third party posted on the unofficial 23andMe subreddit site claiming to have 23andMe customers’ information and posting a sample of the stolen data. Upon learning of the incident, we immediately commenced an investigation and engaged third party incident response experts to assist in determining the extent of any unauthorized activity.
Based on our investigation, we believe a threat actor orchestrated a credential stuffing attack during the period from May 2023 through September 2023 to gain access to one or more 23andMe accounts that are connected to you through our optional DNA Relatives feature. Credential stuffing is a method of attack where threat actors use lists of previously compromised user credentials to gain access to another party’s systems. The threat actor accessed those accounts where the usernames and passwords that were used on 23andMe.com were the same as those used on other websites that were previously compromised or otherwise available.
Using this access, the threat actor was able to access information that included certain customers’ DNA Relatives profile information, including yours (collectively, the “DNAR Profile File”). The threat actor then created posts on a website entitled BreachForums that included links to the DNAR Profile File, which may have included your DNA Relatives profile information. These links expired within 24 hours of being made available. We have identified other websites where the DNAR Profile File has been re-posted. 23andMe is taking steps to have the re-posted DNAR Profile File removed from other websites.
What we are doing
When 23andMe became aware of the incident, we immediately began working with third-party security experts to investigate the incident, and we contacted federal law enforcement. On October 10, we required all 23andMe customers to reset their password. On November 6, we required all new and existing customers to login using two-step verification. While we continue our investigation, we have also temporarily paused certain functionality within the 23andMe platform. We are also taking steps to have the re-posted DNAR Profile File removed from other websites.
What you can do
For more information about what information is a part of your DNA Relatives profile and how to manage your preferences visit our Customer Care article here. We also recommend you review our
guidance here on how to keep your 23andMe account secure and for additional steps you can take to safeguard your account.
For more information
If you have additional questions you may email us at
email@example.com or call us at 1-800-239-5230 on weekdays from 6am to 5pm PT. You may also write to 23andMe at Attn: Legal, 349 Oyster Point Blvd, South San Francisco, CA 94080.
Protecting our customers’ privacy and security continues to be a top priority. We will continue to invest in protecting our systems and data. We sincerely apologize for any inconvenience caused to you by this incident.