23andMe Hack Is a Wake-Up Call for Your Password Habits | Mint

23andMe Hack Is a Wake-Up Call for Your Password Habits

23andMe Hack Is a Wake-Up Call for Your Password Habits
23andMe Hack Is a Wake-Up Call for Your Password Habits


The incident at the DNA test-kit company highlights the risks of reused passwords.

The recent breach of 23andMe user accounts shows a simple yet powerful truth about data security: Don’t reuse passwords, people.

The DNA test-kit company on Monday reported a hacker accessed 14,000 accounts because of password reuse, exposing information belonging to approximately 6.9 million people. The 23andMe computer network wasn’t breached and wasn’t the source of these compromised credentials, a company spokesman said in a statement. The company first disclosed the incident in October and has been investigating since then.

The passwords used to break into these accounts had most likely been stolen from other websites. Because they were reused, they also worked on 23andMe, security experts say. The type of attack is known as credential stuffing, and it puts 23andMe in the company of other major businesses who have fallen victim to the cybercrime trend, including Netflix, Nintendo, Zoom and PayPal.

It isn’t uncommon to see credential stuffing used to compromise thousands of accounts, but with 23andMe, the data in question is unusual, said Ryan McGeehan, owner of R10N Security, a cybersecurity consulting firm.

“The issue here is that 23andMe is a social site that also has healthcare information," he said. “And both of these increase the risk of exposure of the data, and the value of the data itself."

Sensitive data

The California-based biotechnology company offers users information about their genetic makeup through at-home DNA analysis. Customers receive a testing kit in the mail and ship back a saliva sample, which 23andMe analyzes to reveal information about ancestry, genetic traits, health predispositions and whether they are a potential carrier for certain genetic conditions.

Users can also opt in to the DNA Relatives feature, allowing them to find and connect with genetic relatives in the 23andMe database. And they can add information to their profiles and their family members using the Family Tree tool.

Through a breach that occurred in October, a hacker accessed about 5.5 million DNA Relatives profile files, which include locations, display names, relationship labels and DNA shared with matches. The attacker also accessed 1.4 million customers with Family Tree profiles, which contain less information but include personal identifiers like birth years and locations.

DNA doesn’t currently have a clear market value for hackers, said Jennifer King, a privacy and data policy fellow at Stanford University. “But given how unique and irreplaceable it is, we would be foolish to assume that it wouldn’t have some type of value," she said. “In some cases, you may not be at significant risk. But you may be related to someone who may be."

This kind of information about relatives and family relationships could be used by online scammers, who sometimes pretend to be a family member in need of money, said Alex Holden, the founder of cybersecurity consulting firm Hold Security.

Password protections

Hackers have created a variety of automated tools to test stolen passwords against new websites. They then bundle the ones that work in databases that are sold on criminal forums. That has helped feed a jump in credential-stuffing attacks over the past few years. It has also pushed many companies into new authentication techniques such as passkeys—which ditch passwords entirely—and multifactor authentication, which requires extra identity confirmation before letting someone into an account.

Companies are still using passwords, but these new options make things more secure, McGeehan said. “We don’t have to get rid of passwords completely, but we can reduce the amount they are exposed," he said.

If you’re a 23andMe user, the first thing to do is change your password immediately, something the company is prompting all users to do.

Ensure it is unique and complex. If you use the same password for multiple accounts, stop it! Consider using a password manager to store unique passwords for each site, reducing the risk of password reuse. 23andMe said in a Nov. 6 blog post that it will automatically enroll existing customers into two-factor authentication the next time they sign in.

The company said if it learns that a customer’s data has been accessed without authorization, it will notify the customer directly.

Write to Dalvin Brown at dalvin.brown@wsj.com and Robert McMillan at robert.mcmillan@wsj.com

—For more WSJ Technology analysis, reviews, advice and headlines, sign up for our weekly newsletter.

Catch all the Business News, Market News, Breaking News Events and Latest News Updates on Live Mint. Download The Mint News App to get Daily Market Updates.


Switch to the Mint app for fast and personalized news - Get App