If you use 23andMe, consider securing your account. It appears a hacker has been breaking into user profiles to steal personal data.
The company issued a statement about the threat today, days after a mysterious user in a hacking forum claimed to have obtained data from at least 7 million 23andMe users.
The user shared a link, which allegedly leads to a download for the stolen data. “The CSV file in the link contains the profile list of half of the members of 23andMe,” the user claimed in the post before it was deleted. “These members have technical details such as their origin estimation, phenotype and health information, photos and identification data, raw data, and their last login date to the site.”
This Tweet is currently unavailable. It might be loading or has been removed.
Meanwhile, another user in the same forum is also selling access to the 23andMe data. For $100,000, a buyer can obtain access to 100,000 profiles.
23andMe is investigating the situation, but the company denies a breach has occurred. “We do not have any indication at this time that there has been a data security incident within our systems,” a company spokesperson told PCMag.
“Rather, the preliminary results of this investigation suggest that the login credentials used in these access attempts may have been gathered by a threat actor from data leaked during incidents involving other online platforms where users have recycled login credentials,” the spokesperson added.
That means a hacker has likely been digging through past data breaches —which can contain user email addresses and passwords— to try and break into accounts on 23andMe.
Although the hacker claims to have obtained data on at least 7 million users, it’s possible much of the data was actually scraped through a profile-viewing feature available to 23andMe members. The company has a function that lets you find “DNA relatives” with other users on the platform. Using the system is optional, but in doing so users create a profile that other members can see, allowing them to view ancestry results, along with photo and birth year, if provided.
Recommended by Our Editors
This Tweet is currently unavailable. It might be loading or has been removed.
Hence, it’s possible the hacker broke through a smaller number of accounts, and then exploited the DNA relatives feature to gain access to a wider range of personal details. For now, 23andMe told PCMag: “We are taking this issue seriously and will continue our investigation to confirm these preliminary results.”
In the meantime, users can consider changing their password or turning on the two-factor authentication for their accounts to prevent potential hijacking.
Get Our Best Stories!
Stay Safe With the Latest Security News and Updates
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
About Our Expert
Michael Kan
Senior Reporter
Experience
I've been a journalist for over 15 years. I got my start as a schools and cities reporter in Kansas City and joined PCMag in 2017, where I cover satellite internet services, cybersecurity, PC hardware, and more. I'm currently based in San Francisco, but previously spent over five years in China, covering the country's technology sector.
Since 2020, I've covered the launch and explosive growth of SpaceX's Starlink satellite internet service, writing 600+ stories on availability and feature launches, but also the regulatory battles over the expansion of satellite constellations, fights with rival providers like AST SpaceMobile and Amazon, and the effort to expand into satellite-based mobile service. I've combed through FCC filings for the latest news and driven to remote corners of California to test Starlink's cellular service.
I also cover cyber threats, from ransomware gangs to the emergence of AI-based malware. Earlier this year, the FTC forced Avast to pay consumers $16.5 million for secretly harvesting and selling their personal information to third-party clients, as revealed in my joint investigation with Motherboard.
I also cover the PC graphics card market. Pandemic-era shortages led me to camp out in front of a Best Buy to get an RTX 3000. I'm now following how President Trump's tariffs will affect the industry. I'm always eager to learn more, so please jump in the comments with feedback and send me tips.