Readers like you help support How-To Geek. When you make a purchase using links on our site, we may earn an affiliate commission. Read More.

Key Takeaways

  • Data breaches are a recurring problem, and your DNA is now at risk. 23andMe suffered a breach where hackers stole data profiles, including personal information and genetic ancestry results.
  • The breach was a result of a credential stuffing attack, where hackers used login credentials gathered from previous data leaks. The "DNA Relatives" feature also allowed hackers to access other people's data.
  • 23andMe confirmed the breach but denied it was an internal attack. The stolen data is already out there, so it's important to avoid reusing passwords with other accounts.

Data breaches have happened over and over this past year, and they show no sign of slowing down. Maybe it's not your password (or maybe it was), but you never know when something important about you, such as your phone number or your social security number, makes its way into a data dump. But have you thought of the prospect of your DNA getting into a data dump? Well, that's not a remote prospect anymore.

In case you're not familiar with 23andMe, it's a company that can ship you a DNA test kit, which you can then use, ship back, and it'll tell you all kinds of cool details about yourself and your ancestry. You can discover where your DNA is from and what traits you have, and it can even find distant relatives for you based on how much your DNA matches. Doing this also means that the firm kind of needs to store your DNA, making that data prone to breaches. And that's exactly what happened. With a credential stuffing attack, hackers managed to steal data profiles and are currently selling data profiles in bulk. Stolen data includes details such as usernames, full names, profile pictures, date of birth, genetic ancestry results, and even your geographical location.

In a statement, a 23andMe representative confirmed to Bleeping Computer that the breach was legitimate, but denied that it had anything to do with an internal attack on the firm's systems. Instead, they said that "the preliminary results of this investigation suggest that the login credentials used in these access attempts may have been gathered by a threat actor from data leaked during incidents involving other online platforms where users have recycled login credentials." It looks like hackers got into accounts using credentials that were already floating around, and the attack was made worse by the "DNA Relatives" feature, which is opt-in and meant hackers could also access other people's data. Oops.

There's unfortunately nothing for affected people to do right now, as the data is already out there. You will want to make sure you aren't reusing passwords with other accounts, though.

Source: Bleeping Computer