October 12

23andMe Data Breach: What you need to know


OCT. 19 UPDATE: The hacker released another 4 million records on hacker forums, claiming the list includes U.K. users as well as the “wealthiest people living in the U.S. and Western Europe.”

It’s been a while since I posted about a data breach. It’s not that they haven’t been happening… it’s because they haven’t been huge lately, and so much other stuff has been going on instead.

What Is Happening with 23andMe Data?

Last week cybersecurity folks noticed that someone was offering data from 23andMe for sale in the dark corners of the internet where the bad guys go. Of particular concern was the fact that one sample data set contained the data of one million users of Jewish Ashkenazi descent. Another sample had 100k Chinese users. It’s pretty worrisome that the hackers are breaking people up by heritage.

How Did This Happen?

23andMe says that their system wasn’t breached. The data was captured because the hackers used lists (like MASSIVE lists) of username/password combos to try to get into accounts of people who reuse passwords. Because 23andMe lets users find their DNA Relatives, the hackers collected not only the breached user info but also the info of the connected relatives.

For example, if my account had been accessed, they would also be able to get info about my dad, Barbara (1st cousin, once removed — never met her), Angie (3rd cousin — never met her), David (4th cousin — never met him)… and — get this — fifteen hundred of my distant relatives. And that’s just if my one account got hacked.

And because I can’t be sure if one of those 1500 connections was one of the breached accounts, I don’t even know yet if my data was leaked.

What 23andMe Did Wrong

The company says its systems were not accessed or breached. But because they set up their DNA Relatives connections the way they did, one breached account put hundreds of people at risk… x how many breached accounts? That’s a lot of records.

What You Did Wrong

Ok, not YOU specifically, but the general y’all. Y’all reuse passwords for different sites, and this is why that practice is really dangerous. You have to have a unique, unguessable password for every single place you register. Sure, we’re moving toward a passwordless future with passkeys (I still need to write about those… stay tuned). But for the foreseeable future, we’re going to have to deal with passwords, and we have to be more careful.

What Should We Do Now?

If you have a 23andMe account…

  1. Login to 23andMe.com and change your password (they’ll probably require it).
  2. Enable two-factor authentication for the site.
  3. Keep an eye on the updates from 23andMe.
  4. Opt out of the DNA Relatives feature.
  5. Apologize to your relatives for putting their data in harm’s way (just kidding — it’ll take too long to write 1500 apology letters, even with ChatGPT).

Everybody, even if you don’t have a 23andMe account…

  1. Go here to check to see if your email has been involved in a breach (23andMe isn’t listed there yet).
  2. Update your sites to make sure you have a unique password for each one.


passwords, privacy, security

You may also like

Can AI read your emotions? Hume review

Can AI read your emotions? Hume review
{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}