Commercial DNA database 23andMe resets all passwords after data breach

The American DNA service 23andMe has reset the passwords of all users after hackers managed to retrieve data from certain users earlier this month. The company will approach users individually if they are affected, but much is still unclear.

23AndMe writes in a blog post that it forces a password reset for all users. The company also recommends that users enable multi-factor authentication on their accounts, but the service is not yet forcing the latter.

The service acknowledged earlier last week that a data breach had occurred, but much about it is still unclear. It was previously revealed that ‘certain 23andMe customer information’ had been stolen. This involved information that users had previously discovered themselves DNA Relatives program have linked. 23andMe is a service where users can submit DNA material and have it analyzed. One of the most used features of the service is DNA Relatives, which allows DNA to be matched with potential relatives.

23andMe is still vague about what exactly happened surrounding the data breach. The company says the data was stolen from at least one of the accounts. Attackers are said to have entered there via credential stuffing, with email addresses and passwords that were the same as in previous data breaches. However, the company does not say how many accounts were ultimately hacked and what information was captured. 23andMe says it will contact users if it discovers their data has been stolen.

Earlier this month, samples of data from 23andMe users appeared on the hacker forum BreachForums. These were for sale for one to ten dollars per profile. 23andMe confirmed last Friday that data had indeed been stolen, but then only made a few recommendations to users without taking any action themselves. According to the company, this was not necessary, because the data breach was not due to a hole within the company itself.