We recently learned that certain profile information – which a customer creates and chooses to share with their genetic relatives in the DNA Relatives feature – was accessed from individual 23andMe.com accounts. This was done without the account users’ authorization. We do not have any indication at this time that there has been a data security incident within our systems, or that 23andMe was the source of the account credentials used in these attacks.
While our investigation is ongoing, at this time we believe the threat actor was able to access certain accounts in instances where users employed identical login credentials - that is, usernames and passwords that were used on 23andMe.com were the same as those used on other websites that had been previously compromised or otherwise available.
If we learn that your data has been accessed without your authorization, we will contact you separately with more information.
What is 23andMe doing about this?
After learning of suspicious activity, we immediately began an investigation and engaged the assistance of third-party forensic experts and notified law enforcement. Out of caution, we are also requiring that all customers reset their passwords.
Security and privacy are the highest priorities at 23andMe. We exceed industry data protection standards and have achieved three different ISO certifications to demonstrate the strength of our security program. We actively and routinely monitor and audit our systems to ensure that your data is protected. When we receive information through those processes or from other sources claiming customer data has been accessed by unauthorized individuals, we immediately investigate to validate whether this information is accurate. Beginning in 2019, we’ve offered and encouraged users to use multi-factor authentication (MFA), which provides an extra layer of security and can prevent bad actors from accessing an account through recycled passwords.
What can you do today?
We further encourage you to take additional action to keep your account and password secure. This includes the following steps:
When you reset your password, confirm it is not easy to guess and not used for other accounts, meaning it’s unique to your 23andMe account. Reset password here.
Be sure to enable multi-factor authentification (MFA) on your 23andMe account: Adding 2-Step Verification To Your 23andMe Account.
If you log in to 23andMe using your Google or Apple single sign-on, you will not be prompted for a password change, but we recommend you protect your Google or Apple account with MFA.
23andMe is here to support you. Please contact Customer Care at firstname.lastname@example.org if you need assistance. You can refer to our blog post for future updates.
The 23andMe Team