New ask Hacker News story: Additional Notification of 23andMe DNA Relatives Security Breach

Additional Notification of 23andMe DNA Relatives Security Breach
4 by pgrote | 0 comments on Hacker News.
We are following up on an email that we sent earlier this month regarding our ongoing security investigation. We learned that certain profile information – which a customer creates and chooses to share with their genetic relatives in the DNA Relatives feature – was accessed from individual 23andMe.com accounts without the account users’ authorization. While our investigation is ongoing, we believe the threat actor was able to access certain accounts in instances where the usernames and passwords that were used on 23andMe.com were the same as those used on other websites that had been previously compromised or otherwise available. How does this impact you? After further review, we have identified your DNA Relatives profile as one that was impacted in this incident. Specifically, there was unauthorized access to one or more 23andMe accounts that were connected to you through DNA Relatives. As a result, the DNA Relatives profile information you provided in this feature was exposed to the threat actor. You can see a full list of the types of information that you may have included in your profile here. You can view what information is currently included in your DNA Relatives profile and make changes here. Based on our investigation so far, we believe only your DNA Relatives profile attributes were exposed. What is 23andMe doing about this? We are working with third-party forensic experts on this investigation, as well as federal law enforcement. We have also required all customers to reset their passwords. Security and privacy are the highest priorities at 23andMe. We exceed industry data protection standards and have achieved three different ISO certifications to demonstrate the strength of our security program. We actively and routinely monitor and audit our systems to ensure that your data is protected. When we receive information through those processes or from other sources claiming customer data has been accessed by unauthorized individuals, we immediately investigate to validate whether this information is accurate. Beginning in 2019, we’ve offered and encouraged users to use multi-factor authentication (MFA), which provides an extra layer of security and can prevent bad actors from accessing an account through recycled passwords. What should I do? We encourage you to take additional action to keep your account and password secure. This includes the following steps: Make sure your 23andMe password is not used for other accounts, meaning it’s unique to your 23andMe account. Enable multi-factor authentification (MFA) on your 23andMe account: Adding 2-Step Verification To Your 23andMe Account. 23andMe is here to support you. Please contact Customer Care at customercare@23andme.com if you need assistance. You can refer to our blog post for future updates on this investigation.