Summary

Data breaches have happened over and over this past year, and they show no sign of slowing down. Maybe it’s not your password (or maybe it was), but you never know when something important about you, such as your phone number or your social security number, makes its way into a data dump. But have you thought of the prospect ofyour DNAgetting into a data dump? Well, that’s not a remote prospect anymore.

In case you’re not familiar with 23andMe, it’s a company that can ship you a DNA test kit, which you can then use, ship back, and it’ll tell you all kinds of cool details about yourself and your ancestry. You can discover where your DNA is from and what traits you have, and it can even find distant relatives for you based on how much your DNA matches. Doing this also means that the firm kind of needs to store your DNA, making that data prone to breaches. And that’s exactly what happened. With a credential stuffing attack, hackers managed to steal data profiles and are currently selling data profiles in bulk. Stolen data includes details such as usernames, full names, profile pictures, date of birth, genetic ancestry results, and even your geographical location.

In a statement, a 23andMe representative confirmed toBleeping Computerthat the breach was legitimate, but denied that it had anything to do with an internal attack on the firm’s systems. Instead, they said that “the preliminary results of this investigation suggest that the login credentials used in these access attempts may have been gathered by a threat actor from data leaked during incidents involving other online platforms where users have recycled login credentials.” It looks like hackers got into accounts using credentials that were already floating around, and the attack was made worse by the “DNA Relatives” feature, which is opt-in and meant hackers could also access other people’s data. Oops.

There’s unfortunately nothing for affected people to do right now, as the data is already out there. You will want to make sure you aren’t reusing passwords with other accounts, though.