![]() ![]() 23andMe is currently requiring all users to change their passwords.But you should log into your 23andMe account to make some changes to your security and privacy settings to protect against any issues in the future: If your data is included in this stolen data set, there's not much you can do to get your data back, nor is there a way to search through it to see if your information is included. Features like requiring two-factor authentication and frequent privacy check-up reminders, like those offered by most social networks these days, could go a long way to help users reconsider and better understand their privacy. Reusing passwords is a common practice, but instead of blaming its customers, 23andMe should be doing more to make its default protections stronger. But putting the burden on its customers to use unique passwords and to opt into -instead of requiring -account protection features like two-factor authentication is an unfortunate look for a company that handles sensitive data. ![]() They require an individualized warrant for police access to their data, don't allow direct access to all data (unlike GEDmatch and FTDNA), and push back on overbroad warrants. There are some privacy guardrails on using the feature, like the option to hide your full name, but with a potentially full family tree otherwise available an individual's privacy choices here may not be that protective.Ģ3andme is generally one of the better actors in this space. 23andMe pitches "DNA Relatives" almost like a social network, and a fun way to find a second cousin or two. It's still unclear if the data is deliberately targeting the Ashkenazi Jewish population or if it's a tasteless way to draw attention to the data sale, but the fact the data can be used to target ethnic groups is an unsettling use. The ability to research family history and disease risk shouldn’t carry the risk that our data will be accessible in data breaches, through scraped accounts, by law enforcement, insurers, or in other ways we can't foresee. Genetic information is an important tool in testing for disease markers and researching family history, but there are no federal laws that clearly protect users of online genetic testing sites like 23andMe and. 23andMe says it will continue updating its blog post here with new information as it has it. When logins worked, they scraped all the information they could, including all the shared data about relatives if both the relatives and the original account opted into the DNA Relatives feature. and Western Europe on this list."Ģ3andMe suggests that the bad actors compiled the data from accounts using the optional " DNA Relatives " feature, which allows 23andMe users to automatically share data with others on the platform who they may be relatives with.īasically, it appears an attacker took username and password combinations from previous breaches and tried those combinations to see if they worked on 23andMe accounts. Then, on October 18, yet another dataset showed up on the same forum that included four million users, with the poster claiming it included data from "the wealthiest people living in the U.S. In a statement to The Washington Post a 23andMe representative noted that this "would include people with even 1% Jewish ancestry." Soon after, another post claimed they had data on 100,000 Chinese users. At the time, not much was made of the supposed breach, but then in early October a bad actor posted a data sample on a different forum claiming that the full set of data contained 1 million data points about people with Ashkenazi Jewish ancestry. TechCrunch found the data may have been first leaked back in August when a bad actor posted on a hacking forum that they'd accessed 300 terabytes of stolen 23andMe user data. In a blog post, 23andMe claims the bad actors accessed the accounts through "credential stuffing:" the practice of using one set of leaked usernames and passwords from a previous data breach on another website in hopes that people have reused passwords.ĭetails about any specific accounts affected are still scant, but we do know some broad strokes. There's nothing you can do if your data was already accessed, but it's a good time to reconsider how you're using the service to begin with. The data includes display name, birth year, sex, and some details about genetic ancestry results, but no genetic data. By mid-October this expanded out to another four million more general accounts. In early October, a bad actor claimed they were selling account details from the genetic testing service, 23andMe, which included alleged data of one million users of Ashkenazi Jewish descent and another 100,000 users of Chinese descent. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |