In early October, a bad actor claimed they were selling account details from the genetic testing service, 23andMe, which included alleged data of one million users of Ashkenazi Jewish descent and another 100,000 users of Chinese descent. By mid-October this expanded out to another four million more general accounts. The data includes display name, birth year, sex, and some details about genetic ancestry results, but no genetic data. There's nothing you can do if your data was already accessed, but it's a good time to reconsider how you're using the service to begin with. 

What Happened

In a blog post, 23andMe claims the bad actors accessed the accounts through "credential stuffing:" the practice of using one set of leaked usernames and passwords from a previous data breach on another website in hopes that people have reused passwords. 

Details about any specific accounts affected are still scant, but we do know some broad strokes. TechCrunch found the data may have been first leaked back in August when a bad actor posted on a hacking forum that they'd accessed 300 terabytes of stolen 23andMe user data. At the time, not much was made of the supposed breach, but then in early October a bad actor posted a data sample on a different forum claiming that the full set of data contained 1 million data points about people with Ashkenazi Jewish ancestry. In a statement to The Washington Post a 23andMe representative noted that this "would include people with even 1% Jewish ancestry." Soon after, another post claimed they had data on 100,000 Chinese users. Then, on October 18, yet another dataset showed up on the same forum that included four million users, with the poster claiming it included data from "the wealthiest people living in the U.S. and Western Europe on this list." 

23andMe suggests that the bad actors compiled the data from accounts using the optional "DNA Relatives" feature, which allows 23andMe users to automatically share data with others on the platform who they may be relatives with. 

Basically, it appears an attacker took username and password combinations from previous breaches and tried those combinations to see if they worked on 23andMe accounts. When logins worked, they scraped all the information they could, including all the shared data about relatives if both the relatives and the original account opted into the DNA Relatives feature.

That's all we know right now. 23andMe says it will continue updating its blog post here with new information as it has it.

Why It Matters

Genetic information is an important tool in testing for disease markers and researching family history, but there are no federal laws that clearly protect users of online genetic testing sites like 23andMe and Ancestry.com. The ability to research family history and disease risk shouldn’t carry the risk that our data will be accessible in data breaches, through scraped accounts, by law enforcement, insurers, or in other ways we can't foresee. 

It's still unclear if the data is deliberately targeting the Ashkenazi Jewish population or if it's a tasteless way to draw attention to the data sale, but the fact the data can be used to target ethnic groups is an unsettling use. 23andMe pitches "DNA Relatives" almost like a social network, and a fun way to find a second cousin or two. There are some privacy guardrails on using the feature, like the option to hide your full name, but with a potentially full family tree otherwise available an individual's privacy choices here may not be that protective. 

23andme is generally one of the better actors in this space. They require an individualized warrant for police access to their data, don't allow direct access to all data (unlike GEDmatch and FTDNA), and push back on overbroad warrants. But putting the burden on its customers to use unique passwords and to opt intoinstead of requiringaccount protection features like two-factor authentication is an unfortunate look for a company that handles sensitive data. 

Reusing passwords is a common practice, but instead of blaming its customers, 23andMe should be doing more to make its default protections stronger. Features like requiring two-factor authentication and frequent privacy check-up reminders, like those offered by most social networks these days, could go a long way to help users reconsider and better understand their privacy.

How to Best Protect Your Account

If your data is included in this stolen data set, there's not much you can do to get your data back, nor is there a way to search through it to see if your information is included. But you should log into your 23andMe account to make some changes to your security and privacy settings to protect against any issues in the future:

  • 23andMe is currently requiring all users to change their passwords. When you create your new one, be sure to use a unique password. A password manager can help make this easier. A password manager can also usually tell you if previously used passwords of yours have been found in a breach, but in either case you should create a unique password for different sites.
  • Enable two-factor authentication on your 23andMe account by following the directions here. This makes it so in order to log into your account, you'll need to provide not only your username and password, but also a second factor, in this case a code from an two-factor authentication app like Authy or Google Authenticator.
  • Change your display name in DNA Relatives so it's just your initials, or consider disabling this feature entirely if you don't use it. 

Taking these steps may not protect other unforeseen privacy invasions, but it can at least better protect it from the rest of the potential issues we know exist today.

How to Download and Delete Your Data

If this situation makes you uneasy with your data being on the platform, or you've already gotten out of it what you wanted, then you may want to delete your account. But before you do so, consider downloading the data for your own records. To download your data:

  1. Log into your 23andMe account and click your username, then "Settings." 
  2. Scroll down to the bottom where it says "23andMe Data" and click "View."
  3. Here, you'll find the option to download various parts of your 23andMe data. The most important ones to consider are:
    1. The "Reports Summary" includes details like the "Wellness Reports," "Ancestry Reports," and "Traits Reports."
    2. The "Ancestry Composition Raw Data" the company's interpretation of your raw genetic data.
    3. If you were using the DNA Relatives feature, the "Family Tree Data" includes all the information about your relatives. Based on the descriptions of the data we've seen, this sounds like the data the bad actors collected.
    4. You can also download the "Raw data," which is the uninterpreted version of your DNA. 

There are other types of data you can download on this page, though much of it will not be of use to you without special software. But there's no harm in downloading everything.

Once you have that data downloaded, follow the company's guide for deleting your account. The button to start the process is located on the bottom of the same account page where you downloaded data.

Our DNA contains our entire genetic makeup. It can reveal where our ancestors came from, who we are related to, our physical characteristics, and whether we are likely to get genetically determined diseases. This incident is an example of why this matters, and how certain features that may seem useful in the moment can be weaponized in novel ways. For more information about genetic privacy, see our Genetic Information Privacy legal overview, and other Health Privacy-related topics on our blog.