23andMe suffers data hack
Like everyone else who’s DNA-tested at 23andMe, The Legal Genealogist was dismayed this past week to learn of an apparent data hack at the DNA testing website.
If the reports are accurate, it’s not exactly a security hole that 23andMe could have plugged. The story is that hackers collected passwords associated with specific email addresses that had already been hacked at other sites and then reused them at 23andMe to see if they worked.
And because 23andMe uses email addresses as usernames and so many of us do engage in this risky business of reusing passwords, the hackers got access to a ton of data.
So far, personal information about roughly a million users of Ashkenazi Jewish descent and 300,000 users of Chinese descent was offered for sale on the so-called Dark Web. The data offered included full names, birth years, location information and more. Nobody knows how many accounts were accessed, how much data was scraped and what it might be used for.
As yet, there’s no indication that raw DNA data was hacked, but the incident is still under investigation.
But here’s the bottom line: no company can protect us from our own folly. Using a password across multiple websites in this day and age of data hacking is just that: folly. (And yeah, I’ve done it too. My pointing finger here is pointing right back at me too.)
Particularly at a website like a DNA testing company, don’t use a password you’ve ever used anywhere else.
And if you have — change your password now.
At 23andMe, the steps are to log in, go to the top right of the user page where your name or initials can be found, click on that and choose Settings. From Settings, choose to Edit your Account Settings. When the edit page opens, choose Change Password. You’ll need to enter your current password to change it to a new one.
Don’t wait. Do it today. And do a security check on every website where you have sensitive personal information: DNA testing sites and financial sites of any kind right at the top of the list.
Never ever reuse a password across multiple sites, and particularly not at a website where accessing your data could be dangerous to your health — financial or otherwise.
Change your password.
Now.
Cite/link to this post: Judy G. Russell, “Change your password!,” The Legal Genealogist (https://www.legalgenealogist.com/blog : posted 8 Oct 2023).
Done. And when I pulled up my password on my iPad, there was a note saying I had used the same password on another site, so now I need to go in and change that one, too. Thanks, Judy!
Thank you for this post Judy. The 23andMe breach hadn’t crossed my desk thus far on the other side of the world. I have changed my password. The hackers’ cross-referencing email addresses with passwords is a new threat level for us all.
23andMe has reset everyone’s password and a new password is mandatory. I understand the rationale, but this does have an adverse effect for some people who will lose access to other accounts they had access to. For instance, my deceased uncle no longer has the email address we used when I created an account for him.