By now, you’ve probably heard that 23andMe was “hacked” by criminals who stole the data of up to 7 million users. Technically, it wasn’t a hack; 23andMe’s security systems weren’t breached. Rather, the criminals acquired emails and passwords from lapses at other websites then logged in to 23andMe accounts that used the same login credentials. This kind of attack is called credential stuffing.
What data exactly did the crooks get? That’s a great question. 23andMe has been tight-lipped about those details, but we can guess… Basically, anything accessible to a user from their own account was up for grabs.
And it gets worse. Unfortunately, even those of us with unique passwords were exposed, because chances are we share at least some DNA with someone who was compromised. The criminals claim to have data from at least 7 million 23andMe customers. I estimate that’s almost everyone who has opted into DNA matching at 23andMe.
…
DNA is special. It contains intensely personal family and health information that can never be changed. If your credit card is stolen, you can replace it. If your phone number is leaked, you can screen your calls. If your genetic data is compromised, it’s compromised forever.
What’s more, there is currently no federal legislation in the US to stop a total stranger—or even the government—from analyzing your genome simply because they want to. You shed DNA everywhere you go, and law enforcement considers it fair game because you “abandoned” it.
Layer that onto recent ethical lapses by leaders in forensic genetic genealogy, and genetic privacy does not exist in the US. That needs to change.