When it comes to personal data, there are few things as sensitive as our DNA. Because DNA is the unique code that defines all of our physical attributes and more. So the hacking of online DNA testing service 23andMe is particularly concerning.

What is 23andMe?

23andMe provides a DNA profiling and matching service, allowing customers to mail a sample of saliva for testing. 23andMe then tests the sample to create a genetic profile and compare it against other samples in their database. 

Users are given a report that details their genetic heritage, an understanding of their ancestry and some indications of genetic predispositions.

What happened?

According to 23andMe, hackers were able to break into their system. The attackers used a technique called ‘credential stuffing’ to compromise thousands of user accounts and to download all of their sensitive data.

23andMe later confirmed that more than 100,000 accounts had been broken into. The stolen information includes full names, usernames, profile photos, sex, date of birth, genetic ancestry results, and geographical location for each user account.

The hackers behind the attack later offered the stolen information for sale for as little as $1 each.

What is credential stuffing?

Hackers regularly buy and sell lists of stolen usernames and passwords. Criminals can then try to log into other websites using these credentials.

The technique is called ‘stuffing’ because the hackers create scripts to test thousands of credentials automatically, within a matter of hours. When they work, the credentials are recorded, allowing the hackers to come back later and steal whatever data they can.

Who is to blame for the 23andMe attack?

The reality is that credential stuffing attacks only work for one reason – people reusing the same passwords for multiple online accounts. If the compromised 23andMe accounts had been secured with a unique password, the credential stuffing attack would not have worked.

This incident underscores the importance of using unique passwords for every online account – otherwise your most sensitive, personal data may be stolen and sold. Obviously creating and memorizing strong, unique passwords can be difficult, so we recommend using a password manager to simplify the process.

What can we learn from the 23andMe attack?

Aside from the dangers of reusing passwords, there are a few other factors to consider from this event. First, when using or sharing the most sensitive of personal information, you must be sure the online service is secure. If 23andMe had used two-factor authentication to protect user accounts, it is unlikely that a credential stuffing would work.

Second, users must make a value judgement. Is the information produced by a service like 23andMe worth the risk of potential exposure? This is a very difficult decision – and one that can only be made by you.