Earlier this fall, DNA testing company 23andMe reported a data breach affecting 14,000 accounts – but now it turns out that hackers had access to profiles and family trees of 6.9 million accounts. It's the family tree information that makes this breach dangerous not only for 23andMe customers but also for anyone else. That’s because it may expose one vital piece of personal information: your mother’s maiden name. This information answers a very common account-recovery security question. If hackers combine that with previously compromised passwords, it could help them gain access to other accounts.
23andMe’s “DNA Relatives” feature lets users automatically share family tree information, potentially including your name, date of birth, and location, as well as family member names, dates of birth, and locations. That means that you could appear on a family tree even if you don't have an account, and hackers could have collected a great deal of your personal information.
How to protect yourself after the 23andMe data breach
By now, you can assume that your mother’s maiden name (and any other security questions related to family members) isn’t secret information: hackers are already auctioning off data from 23andMe family trees. Check the security questions tied to your accounts and update them if necessary, picking security questions that can’t be answered easily. If you don’t have any good options (or even if you do), we recommend lying about your answers to security questions and recording this information in your password manager.
How to protect yourself from future breaches
Hackers got the 23andMe database through a process called “credential stuffing,” in which they enter previously compromised email and password combinations to get into users’ accounts. Because many of us reuse passwords between sites – something we shouldn’t do precisely because of attacks like this – hackers were able to get in.
Credential stuffing attacks like this one are precisely why you should use unique passwords for all your accounts so that one account being compromised doesn’t potentially compromise your other accounts. If you have any other services using duplicate passwords, change them to a strong, unique password and use a password manager to keep track.
If an account supports it, you should enable two-factor authentication. Even after changing passwords, this is an important step to prevent such attacks from gaining access to your accounts in the future.
Data breaches have become commonplace, and you should assume that your frequently used passwords have been compromised by hackers, who could use this information to get into your other accounts.
[Image credit: Hacker concept via BigStockPhoto]