In This Article:
Genetic testing company 23andMe has temporarily disabled certain features of DNA Relatives, an optional sub service that allows users to share ancestry information with users worldwide amidst reports of a data breach earlier this month.
23andMe was recently made aware that an outside entity stole information users had voluntarily disclosed while using the DNA Relatives feature, according to a statement on the company’s website.
The information, gathered from individual 23andMe accounts was obtained without the user’s permission.
“We believe threat actors were able to access certain accounts in instances where users recycled login credentials – that is, usernames and passwords that were used on 23andMe.com were the same as those used on other websites that have been previously hacked,” 23andMe wrote on their website.
Using stolen usernames and passwords to gain unauthorized access to multiple accounts is a cyberattack technique is known as credential stuffing. Its one of the reasons why cybersecurity experts recommend against using the same password for different sites, according to Reuters.
The company is still investigating the origins of the security violation, but their findings thus far do not point to a breach, a data security incident, or that 23andMe was the source of the account credentials used in these attacks, a 23andMe representative shared with USA Today.
Here’s what we know.
Was every 23andMe customer impacted?
Not every 23andMe customer was impacted by the data breach, but its unclear how many registered users were targeted by hackers.
23andMe previously told Reuters that while an “unspecified amount of customer profile information had been compiled, the company itself had not been breached.”
Third-party forensic experts and federal law enforcement have been called in to assist the company with the investigation, 23andMe reported.
A numbers of customers were contacted Tuesday with additional details from 23andMe about the information that was taken, according to social media posts from registered users. The total number of customers contacted is unknown.
“We are reaching out to our customers to provide an update on the investigation and to encourage them to take additional actions to keep their account and password secure. Out of caution, we are requiring that all customers reset their passwords and are encouraging the use of multi-factor authentication (MFA). If we learn that a customer’s data has been accessed without their authorization, we will notify them directly with more information,” according to 23andMe.