Days after personal user information appeared online, genetic testing company 23andMe said it is requiring all users to reset their passwords “out of an abundance of caution.”
Friday the 23rd and me confirmed that hackers had obtained some users’ data, but stopped short of calling the incident a data breach. The company said hackers had accessed “certain accounts” of 23andMe users using passwords that were not unique to the service, a common technique in which hackers attempt to break into victims’ accounts using passwords that are already set. have been made public in previous data breaches.
23andMe’s announcement came two days after hackers announced an alleged sample of 23andMe user data on the hacking forum BreachForums, offering to sell individual profiles for between $1 and $10. The sample, seen by TechCrunch, contained the purported user data of one million users of Ashkenazi Jewish descent. Another BreachForums user claimed to have the 23andMe data of 100,000 Chinese users.
According to 23andMe, the data was “compiled” from users who had opted in to the DNA relatives feature, which allows users who choose to activate the feature to automatically share their data with others. In theory, this would allow a hacker to obtain the data of more than one victim simply by logging into the account of someone who opted into this feature.
Late Monday, 23andMe posted an update to their website, announcing that they have forced all users to change their passwords and saying they are “encouraging the use of multi-factor authentication.”
A 23andMe user, who asked to remain anonymous to protect their privacy, shared the email they received from the company, where 23andMe wrote that the company “does not have any indication at this time that there has been a data security incident within our systems. or that 23andMe was the source of the account credentials used in these attacks.”
The user told TechCrunch that he was a 23andMe beta tester since 2012 and had seen his database and connections grow, “finding more cousins and even hidden siblings from parents.” And while 23andMe is “a great product,” the user said, the company “knows a lot” and this is a “sad” incident.
It is unclear if, as of this writing, all users have received an email asking them to reset their passwords.
Another 23andMe user told TechCrunch that they have not yet received a password reset email. Instead, they said that when they tried to log in, they saw a new message: “23andMe is resetting all passwords to improve password security. Choose a new password that is unique to 23andMe.”
“I couldn’t log in, so I clicked ‘Forgot Password’ to refresh and log back into my account,” said the user, who also asked to remain anonymous to protect their privacy.
The user shared a screenshot of the login page they saw:
23andMe did not immediately respond to a number of questions, including whether it verified that the leaked data is legitimate, whether it revoked all users’ session tokens (meaning 23andMe logged users out on all devices they logged in on) ) and whether the company changed its password policy.
Since the allegedly hacked data came to light on Wednesday and 23andMe only asked users to reset passwords five days later, one cybersecurity expert said the company could have responded faster to the incident.
“I would like to see organizations proactively support their users to avoid the risk of credential stuffing, and in the case of 23andMe, the reaction to force password resets could have happened much earlier, as soon as the hacking attack became known. credential stuffing,” said Rachel Tobac. she, a hacker and CEO of SocialProof Security, told TechCrunch. “Over time, I would like to see organizations focus on proactive rather than reactive actions to reduce this risk, and reactive responses should occur quickly.”
