RALEIGH, N.C. (WNCN) — A major security breach at one of the country’s foremost genetic testing and DNA repositories is setting off alarm bells.
This after the discovery that the personal information of millions of people, many of Jewish ancestry, was for sale on the dark web.
The names, locations, and ethnicities of millions of 23andMe users went up for sale last week on the dark web following the data breach — which the company confirmed in an online statement.
The company says it hired third-party forensic experts to see how much damage was done, but security experts are worried.
It appears at this point just the names, addresses, and perhaps ethnic origins that are out there for sale, but security experts are worried that it may go further than that.
” That’s the original information, so that’s not so bad,” said Pete Nicoletti of Checkpoint Security Software.
“But if it’s DNA information, it’s going to be real bad.”
“Your DNA information can be used in so many negative ways,” he said. “We’re seeing nation states trying to collect DNA information and potentially create weapons that are specifically against the DNA.”
Nicoletti calls DNA results the “crown jewels” for hackers and says there are steps you can take to make that information more secure on your end.
“Don’t sign up for all the public sharing your information, like finding new relatives,” said Nicoletti. “That lets them (scammers) leverage your information to look for other information.”
Hackers who posted the stolen information from 23andMe on the dark web say it contained at least one million data points relating to Ashkenazi Jewish ancestry.
In its statement about the breach, 23andMe says the hackers used stolen passwords to access the site’s DNA relatives feature and advises its customers to reset their passwords.
Security experts say finding valid passwords is easy for criminal hackers.
“There’s 12 billion combinations, email and password combinations that are in the wild from the last ten years of 710 different breaches,” said Nicoletti. “The hackers have this information.”
They then use that login information in what’s known as a ‘‘credential stuffing attack” where they use automated systems to “stuff” thousands of passwords into all sorts of sites looking for matches.
The attacks work because most folks use the same passwords over and over for years on every site they encounter.
To protect yourself:
- Change your passwords every 30-to-90 days
- Use different passwords on different accounts
- Don’t trust emails asking for passwords
Nicoletti says you can expect those who were breached to get emails soon.
“The hackers see this attack and they’re going to exploit this timing and they’re going to send you an email that looks like it’s from 23andMe,” he said. “Don’t click on the link in the email because there are these secondary hackers that are using that breach information to then attack you in a different way.”
The investigation into what happened is continuing and federal agencies are also involved.
Even as the probe continues, 23andMe is working to try and put systems in place to prevent a repeat attack.