Once upon a midnight dreary, a connected consumer grew nervous and weary. He mailed in his hair (and not for free!), to the family tree company, 23andMe. No specter took over, no ghouls attacked. But still, just as scary, that firm was bloody hacked!

 

That’s right. Earlier this month, a hacker stole data from the genetic testing company, 23andMe, and has now leaked millions of user records. Extremely personal data—including health, genetic, and family information—from customers in the UK and US was released to the cybercrime forum BreachForums.

 

23andMe was made aware of the first of two hacks in early October and determined that the information was stolen using a technique called credential stuffing, essentially trial and error attempts using combinations of usernames and passwords used elsewhere on the internet. In many cases, these credentials were hacked during other data breaches and released into the dark corners of the internet, only to be taken up by Golem, the perpetrator of this hack.

 

The damage was double bloody in this case because of an opt-in feature on the site called DNA Relatives (which essentially opened the door between possible relatives’ accounts). If the hacker was able to break into one account, he suddenly had ready access to potentially dozens more.

 

23andMe has proven a valuable resource for thousands of people, bringing families together and helping identify potential hereditary health concerns, but this hack has uncovered a potential monster in the closet. Experts recommend that if you use this site—or have family members who do—update your username and password immediately and opt-in to the multi-factor authentication to protect yourself against future hacks.