23andMe takes the privacy and confidentiality of your information very seriously. We are writing to update you regarding an incident involving certain personal information you made available through 23andMe’s optional DNA Relatives feature, specifically your Family Tree profile which is further described below. Based upon our investigation of this incident, we believe only your Family Tree profile information was involved. There is no evidence that your 23andMe account, or any other information in your account, including any other information you chose to share through the DNA Relatives feature, was accessed in this incident.
What information was involved?
Our investigation determined that a threat actor accessed certain information about your ancestry that you chose to share in our DNA Relatives feature, specifically, certain profile information presented in our Family Tree feature which includes a display name and your relationship labels. The following information may have also been accessed if you chose to share this information in the DNA Relatives feature: self-reported location (city/zip code) and birth year.
What happened?
On October 1, 2023, a third party posted online claiming to have 23andMe customers’ information and posting a sample of the stolen data. Upon learning of the incident, we immediately commenced an investigation and engaged third party incident response experts to assist in determining the extent of any unauthorized activity.
Based on our investigation, we believe a threat actor orchestrated a credential stuffing attack to gain access to one or more 23andMe accounts that are connected to you through our optional DNA Relatives feature. Credential stuffing is a method of attack where threat actors use lists of previously compromised user credentials to gain access to another party’s systems. The threat actor accessed those accounts where the usernames and passwords that were used on 23andMe.com were the same as those used on other websites that were previously compromised or otherwise available.
Using these accounts, the threat actor was able to access information that included certain customers’ DNA Relatives and Family Tree profile information, including yours.
What have we done?
23andMe worked with third-party security experts on this investigation, as well as federal law enforcement. On October 10, we required all 23andMe customers to reset their password. On November 6, we required all new and existing customers to login using two-step verification. We have also temporarily paused certain functionality within the 23andMe platform.
What you can do
For more information about what information is a part of your DNA Relatives profile and how to manage your preferences visit our Customer Care article here. We also recommend you review our guidance here on how to keep your 23andMe account secure and for additional steps you can take to safeguard your account.
23andMe is here to support you. Please contact Customer Care at customercare@23andme.com if you need assistance. Protecting our customers’ privacy and security continues to be a top priority. We sincerely apologize for any inconvenience caused to you by this incident.
23andMe Account Update (Email Breach)
- funnyinterestingcool
- Posts: 518
- Joined: Tue Jul 09, 2019 11:54 pm
- Contact: