RootsChat.Com
General => Ancestral Family Tree DNA Testing => Topic started by: TonyV on Sunday 08 October 23 21:38 BST (UK)
-
Hi all. A question and a warning about 23andme.
I posted a DNA test to 23andme on 12 September but when I look at their site it tells me that it started on its way to them on 25 September and that it's still on the way. Above that it tells me that the whole process takes 2-4 weeks! It's already been "in the post" for over 4 weeks according to them. Has anyone got any current real world experience of timescales for their testing process? I live in England and I know that the lab is in the USA so am happy to allow for a little travel time, but over 4 weeks and counting seems excessive.
The warning comes from Roberta Estes blog and it suggests that 23andme has been hacked and that subscribers should change their passwords and possibly turn on two-factor authentication. The blog can be found here https://dna-explained.com/2023/10/07/23andme-user-accounts-exposed-change-your-password-now/?fbclid=IwAR1DvWIyU3iVHyD7lCgVxaWghHvEnMFlgYC2m7t48ht_OHmSN4IVLrkv4ag
-
Thanks for highlighting this, Tony.
-
I have no experience of 23&me so thanks for the post.
It is quite a while sine we took our Ancestry DNA tests hence cannot comment on their times ales.
A My Heritage DNA test took about eight weeks to get there and to be processed, I kept checking and it was over five weeks before their site registered receipt.
A recent myFTDNA yDNA test took three weeks to get there and another three weeks to process.
-
It's a few years since I took the Ancestry test but I think it took 8 to10 weeks from posting to getting the results.
-
I think those of us who have taken a 23&me test have now had e-mails asking us to change passwords and add two-factor authentication.
They have said that they are doing a thorough investigation and they will get in touch with those who they find to have had their security breached with further info.
-
Thanks for all your replies. To be fair to them I misread their note that said it will take 2 to 4 weeks etc. to mean completion of the entire process, not thinking that it might take 4 weeks or more for the package to cross the Atlantic Ocean and then the USA. But on re-reading I can see that they were referring to exactly that part of the journey.
It has now been slightly over 4 weeks and it still hasn't arrived today. When I contacted them they replied quickly and asked whether I'd like a new kit to be sent, so I agreed. Then today they sent another email saying that my query had been referred upwards and again offering to send out a new kit, if my original one hadn't arrived within the next 7 days! A bit of a left hand, right hand problem!
As Gadget commented, I have also received the warning email from them today about the potential security breach, but I had already changed my password and turned on 2-factor authentication.
-
I received the standard email from 23andme a few days ago asking me to change my password and consider adding 2 step authentication after the data breach. I changed my password but adding 2 step authentication required me to download software. Really? Every other site I use that requires 2 step authentication does not require 3rd party software to be downloaded. Suggests that 23andme cannot be bothered setting up 2 step authentication within their own systems. Does not inspire confidence in me.
Incidently when I logged in today it forced me to change my password again so obviously a waste of my time responding to their email. Now enforcing a minimum 12 characters but they don't tell you that until you enter your new password.
-
Unfortunately I received a follow up email from 23andme this morning saying I have been impacted by the data breach. Just the DNA Relatives side of things as far as I can tell (the information you make public there such as name, age, ancestral surnames), not my actual DNA information.
Some of you may find yourself affected by this because the latest breach was specifically users with British ancestry.
-
I also have received this follow up letter as also a friend. I have also read an article by Roberta Estes about the breach. Its on facebook in the genetic tips and tecniques group.
-
What would they do with such information?
Add - a Google search throws up lots of info:
https://tinyurl.com/mush7d6x
-
What would they do with such information?
Add - a Google search throws up lots of info:
https://tinyurl.com/mush7d6x
When it comes to the raw genetic data that's breached we're entering uncharted territory. It's disconcerting to say the least though. The initial breach was specifically marketed on hacker forums as being the genetic info of Jewish people so there's an implied threat there already. The most recent one involving British users promises that it features identifying information on celebrities and European royalty. The rise of sophisticated AI models that can process this vast amount of data is also quite scary.
The secondary kind of data breach involving just information on the relatives profile page is not quite as bad, although it could still potentially be used to identify people who otherwise wish not to be identified.
I'm not happy with 23andme's communication on this. In my case I had no issues with my account security and was affected purely because someone else was - this is a really bad design for a website that handles personal genetic data and should never have been allowed to happen.
I'm also not totally convinced that 23andme have a handle on the scale of this and how much DNA has actually been breached. It wouldn't surprise me if it turns out that hackers found an exploit to also access the genetic data of relatives connected to password compromised accounts.
This is a screenshot of a post by the hacker explaining his motives - it's a bit techy but worth reading: https://www.reddit.com/media?url=https%3A%2F%2Fi.redd.it%2Fphscpvhgbevb1.png
-
This is a screenshot of a post by the hacker explaining his motives - it's a bit techy but worth reading: https://www.reddit.com/media?url=https%3A%2F%2Fi.redd.it%2Fphscpvhgbevb1.png
Any chance of a translation? How did the hacker get the data? Obviously what the hacker is claiming contradicts statement from 23andMe.
-
Any chance of a translation? How did the hacker get the data? Obviously what the hacker is claiming contradicts statement from 23andMe.
I am by no means an expert on the technicalities of all of this, but my basic understanding is this:
The initial breach is claimed to have been made by data stuffing. This is where usernames and associated passwords stolen from another account with a different company (i.e. from a different data breach) have been speculatively tried against 23andMe logins.
Unfortunately it is quite common for some people to use the same username and password across many accounts with different organisations, and datasets of such stolen information can readily be purchased if you know where to look, e.g. on the dark web. So whilst not all the logins tried will have been successful, there were probably quite a few logins achieved, giving access to those users accounts.
The hacker then probably used packet sniffing, a form of capturing the underlying internet data traffic involved in sending and receiving requests such as obtaining the details of DNA matches related to the compromised accounts, and identified a sequence or sequences of data strings that could be sent in a particular way to access the information for any individual they wanted - as I read it from one of the posts on the subject, within an average of 50 attempts at sending particular data strings for each account they wished to access. It seems that the data required to be sent to access those accounts might have followed certain patterns that the hacker was able to identify and use to their advantage, and was not as random as 23andMe perhaps believed when the software was designed.
Of course to do this manually would take hours for each individual attempt, and probably more than a lifetime to obtain data on millions of users, but once the initial data strings in the transmitted packets and the patterns in the sequences generated were discovered, an automated computer script could be created that would generate multiple such request in a fraction of a second and capture the information desired very quickly.
I gather that 23andMe have only admitted to the data stuffing attack using stolen username and password credentials, but the rest as claimed by the alleged hacker elsewhere seems plausible in view of the fact that 23andMe have since disabled their DNA tools and now My Heritage have also done likewise, possibly as a precaution until they can investigate and verify the security of their own system, or perhaps because they now know that it is also vulnerable to a similar technique.
I may be wrong, so don't take the above as being factually correct, but it's just my interpretation from what I have seen in various posts on the subject elsewhere.
-
Thanks Phil for your explanation. I assumed all data exchanges between user and 23andme website would be encrypted. If they were using packet sniffing I presume the data exchanges were not encrypted?
-
I don't know the answer to that. I'm not a customer. But even if that were the case, bearing in mind this may be a very simplistic explanation. Suppose as seems to be inferred, you have a possibly large number of usernames and passwords in plain text that you now know work on 23andMe. You know that to login, you have to send those two pieces of information. By examining the data packets going back and forth, even if they are encrypted, you know that certain strings will be constant to every login attempt, whereas others will contain the encrypted username and password. If you know what the plain text content of any parts of those conversations should be, and/or you are able to identify certain parts as containing the username or password, then as you know the plain text phrases, and with multiple usernames and passwords you've likely got the whole alphabet and range of numeric characters covered, probably several times over. With enough cross referencing of the communication data, it should be possible to crack the encryption. There may be other security features involved, such as random seeds or tokens normally specific to each user's computer. But as you are entering all the details for each account from a single computer, again it may be possible to identify that or work out the algorithms involved.
-
I think I'm going to ask for my account/data to be deleted - note that you have to ask them ::)
I've already got most of my info downloaded.
Also, I'll keep my eye on what is happening to My Heritage.
Will Ancestry be next??
Gadget
-
More info and advice re the 23andMe issue on Roberta Estes home page here:
https://dna-explained.com/
-
Thanks for the extra link, Phil.
I was only interested in the health aspects and maternal haplogroup that they provided.
I have requested deletion as the site seems so vulnerable to a breach.
Gadget
PS - I'd already opted out of DNA Relatives and have always used a unique password.
-
Thanks Phil for the link to the Estes update. I have paused my account as she described. I was not aware of their financial problems so think I will download my DNA data as well.
-
I am not with 23. I also decided to delete the accounts that I had with GEDMATCH. I cannot see that it is useful now without a subscription. I appreciate that they need operational costs. They have also had a previous data breach which has led to changes. I do not think that I will renew with My Heritage either, partly due to technical issues. I uploaded DNA to Living DNA but have never paid for subscription. FTDNA also might delete - that just leaves Ancestry, which I have found the most useful.
I have read this post with interest. Thank you.
-
I received the following update from an Ireland DNA group on Facebook, I’m not sure if it’s already been shared on RC yet. I should add, the person who shared the info from FTDNA is a DNA expert.
PLEASE NOTE: The latest posting from familytreedna.com is that they are not accepting any uploads from 23&me for the forseeable future. If your 23&me kit results are already with ftdna, they are perfectly safe and wont be affected.