Update: December 5, 2023 2:45 PM PST
As our investigation comes to a close, we wanted to share the details of what took place and our findings.
In early October, we learned that a threat actor accessed a select number of individual 23andMe.com accounts through a process called credential stuffing. That is, usernames and passwords that were used on 23andMe.com were the same as those used on other websites that have been previously compromised or otherwise available. We do not have any indication that there was a data security incident within our systems, or that 23andMe was the source of the account credentials used in these attacks.
The threat actor used the compromised accounts to access information shared with these accounts. Specifically, DNA Relatives profiles connected to these compromised accounts, which consist of information that a customer chooses to make available to their genetic relatives when they opt in to participate in 23andMe’s DNA Relatives feature. A DNA Relatives profile includes information such as display name, predicted relationships, and percentage of DNA shared with matches. You can find a full list of the types of information included in a DNA Relatives profile here.
Additionally, through the compromised accounts, the threat actor accessed a feature called Family Tree, which includes a limited subset of DNA Relatives profile information. The Family Tree feature does not include ancestry information such as the percentage of DNA shared with genetic matches or ancestry reports.
- The threat actor was able to access less than 0.1%, or roughly 14,000 user accounts, of the existing 14 million 23andMe customers through credential stuffing.
- The threat actor used the compromised credential stuffed accounts to access the information included in a significant number of DNA Relatives profiles (approximately 5.5 million) and Family Tree feature profiles (approximately 1.4 million), each of which were connected to the compromised accounts.
Since detecting the incident, we emailed all customers to notify them of the investigation and are continuing to notify impacted customers, based on applicable laws. We also required every 23andMe customer to reset their password. In addition, 23andMe now requires all new and existing customers to login using two-step verification. Protecting our customers’ data privacy and security remains a top priority for 23andMe, and we will continue to invest in protecting our systems and data.
Update: December 1, 2023 3:45 PM PST
23andMe has completed its investigation, assisted by third-party forensics experts. We are in the process of notifying affected customers, as required by law.
We have taken steps to further protect customer data, including requiring all existing customers to reset their password and requiring two-step verification for all new and existing customers. The company will continue to invest in protecting our systems and data.
Updated: November 6, 2023 7:45 AM PST
Starting today, we are requiring all customers to utilize email 2-step verification (2SV) as an added layer of protection for their account. New customers will be automatically enrolled in email 2SV when they create their account. Existing customers who do not already use an authenticator app will also be automatically enrolled in email 2SV, and will receive an email containing their verification code at their next sign-in. You can read more on our blog post.
Update: October 20, 2023 9:35 PM PST
As part of the ongoing security investigation, we have temporarily disabled some features within the DNA Relatives tool as an additional precaution to protect the privacy of our customers.
Update: October 9, 2023 8:25 PM PST
What actions has 23andMe taken?
Our investigation continues and we have engaged the assistance of third-party forensic experts. We are also working with federal law enforcement officials.
We are reaching out to our customers to provide an update on the investigation and to encourage them to take additional actions to keep their account and password secure. Out of caution, we are requiring that all customers reset their passwords and are encouraging the use of multi-factor authentication (MFA).
If we learn that a customer’s data has been accessed without their authorization, we will notify them directly with more information.
Please continue to follow this blog for updates as our investigation continues.
We recently learned that certain 23andMe customer profile information that they opted into sharing through our DNA Relatives feature, was compiled from individual 23andMe.com accounts without the account users’ authorization.
After learning of suspicious activity, we immediately began an investigation. While we are continuing to investigate this matter, we believe threat actors were able to access certain accounts in instances where users recycled login credentials – that is, usernames and passwords that were used on 23andMe.com were the same as those used on other websites that have been previously hacked.
We believe that the threat actor may have then, in violation of our Terms of Service, accessed 23andMe.com accounts without authorization and obtained information from certain accounts, including information about users’ DNA Relatives profiles, to the extent a user opted into that service.
Committed to Safety and Security
23andMe is committed to providing you with a safe and secure place where you can learn about your DNA knowing your privacy is protected. We are continuing to investigate to confirm these preliminary results. We do not have any indication at this time that there has been a data security incident within our systems, or that 23andMe was the source of the account credentials used in these attacks.
At 23andMe, we take security seriously. We exceed industry data protection standards and have achieved three different ISO certifications to demonstrate the strength of our security program. We actively and routinely monitor and audit our systems to ensure that your data is protected. When we receive information through those processes or from other sources claiming customer data has been accessed by unauthorized individuals, we immediately investigate to validate whether this information is accurate. Since 2019 we’ve offered and encouraged users to use multi-factor authentication (MFA), which provides an extra layer of security and can prevent bad actors from accessing an account through recycled passwords.
We encourage our customers to take as much action to keep their account and password secure. Out of caution, we recommend taking the following steps:
- Confirm you have a strong password, one that is not easy to guess and that is unique to your 23andMe account. If you are not sure whether you have a strong password for your account, reset it by following the steps outlined here.
- Please be sure to enable multi-factor authentication (MFA) on your 23andMe account. You can enable MFA by following the steps outlined here.
- Review our Privacy and Security Checkup page with additional information on how to keep your account secure.
23andMe is here to support you. Please contact Customer Care at firstname.lastname@example.org if you need assistance with navigating these important steps to protect your account.