Genetic testing company 23andMe is requiring all users to reset their passwords as it investigates user data stolen and posted online by threat actors charging between $1 and $10 per account, some of which allegedly contained data belonging to Ashkenazi Jews.
Key Facts
The password reset was announced on 23andMe’s website, where the company also revealed federal law enforcement is now involved and that third-party forensic experts are helping with the investigation.
23andMe, which confirmed the initial data theft last week, maintained that the data was not gathered through a breach of its systems—rather, attackers guessed login information of some users through a recycled password attack and then accessed more data information through a feature that allows users to share information with others.
The announcement came a few days after the attackers posted a sample of user data for sale on a hacking forum, according to multiple outlets, with the sample including unvalidated entries for tech billionaires Mark Zuckerberg and Elon Musk.
The data includes information like sex, birth year, genetic ancestry results and geographic ancestry information.
23andMe encouraged users to use multi-factor authentication, which requires users to provide two means of verification to access their accounts, such as a password and a push notification to users’ phones.
Crucial Quote
“Credential stuffing relies on the all-too-common issue of password reuse to gain access to online accounts,” Antoine Vastel, the head of research at fraud detection company DataDome, told Forbes. “With 81% of individuals reusing passwords or using similar passwords for multiple accounts, malicious threat actors with access to a list of leaked credentials have an easy time finding valid login and password combinations.”
What To Watch For
The data posted on the hacker forum has yet to have its legitimacy explicitly confirmed by 23andMe, which said in its announcement users would be directly notified with “more information” if their data was compromised.
Key Background
The investigation into the stolen user data is ongoing. However, the data is consistent with an internal company situation in which some accounts were used to illegally access more data through the DNA Relatives feature, according to Wired. The data doesn’t appear to include raw genetic information from users.
This article was first published on forbes.com and all figures are in USD.