On October 6, 2023, a hacker posted a sample of data stolen from 23andMe, a popular genetic testing company, on a dark web forum called BreachForums. The hacker claimed to have access to 13 million pieces of data, mostly from users of Ashkenazi Jewish and Chinese descent, who had opted in to a feature called DNA Relatives. The hacker offered to sell the data for between $1 and $10 per account, depending on the quantity. The data included personal information such as names, birth years, locations, and ancestry results, but not raw genetic data
The hacker also claimed to have data from celebrities, such as Mark Zuckerberg, Elon Musk, and Sergey Brin, and alleged that 23andMe’s CEO was aware of the breach two months earlier but did not disclose it. However, these claims have not been verified by 23andMe or any independent sources
23andMe confirmed that some of its users’ data was compromised, but denied that its systems were breached. The company said that the hacker obtained the data by guessing the login credentials of some users and then scraping more data from the DNA Relatives feature, which allows users to find and connect with potential relatives based on their genetic matches. The company said that it was investigating the incident and taking steps to protect its users’ privacy and security
The DNA Relatives feature is optional and requires users to consent to share their information with other users who are also enrolled in the feature. Users can adjust their privacy settings to limit what information they share and with whom. Users can also opt out of the feature at any time
The data leak raises serious concerns about the privacy and security of genetic data, which can reveal sensitive information about one’s health, ancestry, family relationships, and identity. Genetic data can also be used for malicious purposes, such as discrimination, extortion, identity theft, or targeted attacks
To protect yourself from such risks, here are some cybersecurity best practices that you should follow:
- Use strong and unique passwords for your online accounts, especially those that store your genetic or health data. Do not reuse passwords across different sites or services
- Enable two-factor or multi-factor authentication (MFA) for your online accounts whenever possible. This adds an extra layer of security by requiring you to enter a code or use another device to verify your identity when logging in
- Think before you click on suspicious links or attachments in emails or messages. These could be phishing attempts that try to trick you into giving away your personal or financial information or installing malware on your device
- Update your software regularly to fix any security vulnerabilities that could be exploited by hackers. This includes your operating system, browser, apps, and antivirus software
- Be careful about what information you share online and with whom. Review your privacy settings on social media and other platforms and limit who can see your posts or profile. Do not post or share any sensitive information that could be used against you or your family
- Educate yourself about the potential benefits and risks of genetic testing and research. Read the terms of service and privacy policies of any company or organization that offers such services and understand how they use, store, share, and protect your data. Opt out of any features or options that you are not comfortable with or do not need