What the Tech? 23andMe data leak
By JAMIE TUCKER Consumer Technology Reporter
Biotech company 23andMe, which matches DNA samples with others, confirms that the profile information of some of its customers has been acquired by “threat actors”.
The information is from customers who’ve opted into 23andMe’s “DNA Relatives feature” which allows customers to find and connect with genetic relatives who are also 23andMe customers.
23andMe is one of several companies where people submit their own DNA samples through saliva. Customers purchase in-home kits and participate for various reasons. Perhaps chief among those reasons is out of curiosity about their family’s origin and identifying family members. Others use the kit to find out if their genetics makes them susceptible to certain illnesses.
Multiple reports found a threat actor advertising the stolen profiles on the Dark Web asking for thousands of dollars from anyone interested in purchasing the usernames and passwords.
“It’s terrifying,” said cyber security expert Boyd Clewis. “It’s one of those things that, this is so new I can’t even fathom right now what the implications are of that, like what can be done with the data. I just know that if I was part of that compromise, I’d be freaking out right now.
Clewis said the profile information itself poses a great risk just for the information it offers. “Think of how many password reset questions they have. What’s your grandmother’s name, what street did you grow up on, that information is revealed in those profiles.”
An even greater concern is the DNA information itself.
Along with 23andMe’s Relative feature, users can also submit information to GED Match that can match one’s DNA to others around the globe, even if they didn’t sign up for 23andMe.
It’s a tool police used a few years ago to catch the Golden State Killer who police say was responsible for multiple rapes and murders in California between 1974 and 1986. Investigators accessed the DNA database that linked family members who’d shared their DNA through one of the DNA kits such as 23andMe with GED Match.
In that case, police had the DNA evidence from the crime scene that linked James DeAngelo with family members who’d submitted their DNA information with GEDMatch.
I asked Clewis if a hacker gets their hands on someone’s DNA information, could it link to the DNA from people who didn’t use one of the kits themselves?
“It shows all of my family that’s connected to me because it is ingrained in that profile. And I would definitely say it is very likely that now, not only do they have that person’s DNA information, but also relatives.”
23andMe says the compromised profiles were of customers who re-used the same password on multiple accounts. It is re-setting the passwords for all of its users as a precaution and encouraging them to use 2-factor authentication.
Changing the 23andMe password isn’t enough though. Customers should also change the passwords for their other accounts if they used the same password. Clewis also says 23andMe users should sign up for credit monitoring as soon as possible.
23andMe said in a blog post it is working with law enforcement and third-party forensics experts to investigate and that it will notify any user if their profile information was compromised.
