RALEIGH, N.C. (WNCN) — The data incident at 23andMe last week by an anonymous hacker who claims to be selling millions of genetic profiles from hijacked customer accounts has now resulted in a lawsuit.
Word of the incident went public when a hacker posted on the dark web, saying he was selling more than 7 million packets of information containing email addresses, photos, gender, date of birth, and DNA ancestry for between $1 and $10 per account.
Now, the company faces a class action lawsuit where the plaintiffs contend the incident presents an imminent threat of fraud and identity loss.
In a statement, the company acknowledged the data security concern saying the hacker accessed its “DNA relatives feature” using stolen log-in credentials and required all customers to reset their passwords. It’s something security experts say you should do all the time.
“Password reuse, It’s a sin in the security world,” said Pete Nicoletti of Checkpoint Software. “It’s one of the top sins. Don’t reuse your password.”
How can you tell if your password has been stolen? There’s a site that can help.
“The hacking word today you’re learning is Pwned,”said Nicoletti. “That means you’ve been compromised.”
The website calling itself “Have you been Pwned” was set up by a security researcher.
It lets you check your phone or your emails to see if they’ve been involved in a data incident.
Consumer Investigator Steve Sbraccia gave it a try — plugging in his personal email address and got a hit.
The site said the password to that email account was compromised.
With another click of the mouse on the site, it lists all the places on the web where the password was exposed due to a data incident.
In Sbraccia’s case, it was 10 different places dating back more than a decade.
The website also lets you see if other individual passwords on various sites have been used in a breach.
In Sbraccia’s case, most of his passwords were clean, but his current email password was flagged as appearing 15 times in dark web searches as a result of being stolen. (Upon learning that, he immediately changed that password.)
Once you are aware of a password breach:
- Change your email login immediately
- Never use your email password for any other account
- Never use the same password for multiple accounts
“There’s 12 billion combinations, email and password combinations that are “in the wild” from the last 10 years of 710 different breaches,” said Nicoletti. “Hackers have that information.”
If you have used 23andMe or other services to find out about your DNA, experts recommend you notify them to delete your data so it’s no longer in their system.
Depending on what you want deleted, you can do it online. Read how here.
On Tuesday, CBS 17 was contacted by a spokesperson for 23andMe who said the company has not had “any indication at this time that there has been a data security incident within our systems, or that 23andMe was the source of the account credentials used in these attacks.”
“Rather,” the spokesperson said, “our ongoing investigation indicates threat actors were able to access certain accounts in instances where users recycled login credentials – that is, usernames and passwords that were used on 23andMe.com were the same as those used on other websites that have been previously hacked.”