Biotech company 23andMe, which matches DNA samples with others, confirms that the profile
information of some of its customers has been acquired by “threat actors”.
The information is from customers who’ve opted into 23andMe’s “DNA Relatives feature” which allows customers to find and connect with genetic relatives who are also 23andMe customers.
23andMe is one of several companies where people submit their own DNA samples through
saliva. Customers purchase in-home kits and participate for various reasons. Perhaps chief
among those reasons is out of curiosity about their family’s origin and identifying family
members. Others use the kit to find out if their genetics makes them susceptible to certain
Multiple reports found a threat actor advertising the stolen profiles on the Dark Web asking for
thousands of dollars from anyone interested in purchasing the usernames and passwords.
“It’s terrifying,” said cyber security expert Boyd Clewis. “It’s one of those things that, this is so
new I can’t even fathom right now what the implications are of that, like what can be done with
the data. I just know that if I was part of that compromise, I’d be freaking out right now.
Clewis said the profile information itself poses a great risk just for the information it offers.
“Think of how many password reset questions they have. What’s your grandmother’s name, what street did you grow up on, that information is revealed in those profiles.”
An even greater concern is the DNA information itself.
Along with 23andMe’s Relative feature, users can also submit information to GED Match that
can match one’s DNA to others around the globe, even if they didn’t sign up for 23andMe.
It’s a tool police used a few years ago to catch the Golden State Killer who police say was
responsible for multiple rapes and murders in California between 1974 and 1986. Investigators
accessed the DNA database that linked family members who’d shared their DNA through one of
the DNA kits such as 23andMe with GED Match.
In that case, police had the DNA evidence from the crime scene that linked James DeAngelo
with family members who’d submitted their DNA information with GEDMatch.
I asked Clewis if a hacker gets their hands on someone’s DNA information, could it link to the
DNA from people who didn’t use one of the kits themselves?
“It shows all of my family that’s connected to me because it is ingrained in that profile. And I
would definitely say it is very likely that now, not only do they have that person’s DNA
information, but also relatives.”
23andMe says the compromised profiles were of customers who re-used the same password on
multiple accounts. It is re-setting the passwords for all of its users as a precaution and
encouraging them to use 2-factor authentication.
Changing the 23andMe password isn’t enough, though.
Customers should also change the passwords for their other accounts if they used the same password. Clewis also says 23andMe users should sign up for credit monitoring as soon as possible.
23andMe said in a blog post it is working with law enforcement and third-party forensics experts
to investigate and that it will notify any user if their profile information was compromised.