A credential stuffing attack brought the popular genetic research company 23andMe to a crisis point last week, and its attacker is now offering to sell the names, locations, and ethnicities of millions of users.
Credential stuffing is what happens when subscribers repeat the same username-password combinations on multiple websites, and one of those sites is successfully breached. It’s why you need to use two-factor authentication wherever possible, and a password vault when 2FA isn’t a viable option. 23andMe allows for 2FA but hasn’t required it.
The genetic information held by 23andMe is NOT protected by HIPAA, and its privacy policies continue to allow it to participate in third-party data sharing. In other words, even if you’re a paying customer, you might also be their product.
- If you’re a 23andMe user, change your password today. Choose one that is unique, not one you’ve used elsewhere.
- Consider subscribing to a password management app for personal use.
- If you already have the information you need, you might consider deleting your information from 23andMe. They’ll email a request for confirmation and permanently delete your account. (Some of your data will be retained, however, for what they call “legal and lab requirements.”)
We encourage you to let your friends and family know about this dangerous cybercrime.