Genealogy platforms roll out two-factor authentication following 23andMe data breach

U.S. biotechnology and genomics company 23andMe and online genealogy platforms MyHeritage and Ancestry have introduced two-factor authentication to secure customer accounts after a threat actor stole millions of data records from 23andMe’s network.

In October, a threat actor listed 23andMe as a victim on their data leak site and shared samples of data they allegedly stole from the company, including 1 million lines of information about Ashkenazi Jews. Ashkenazi Jews are those who believe they descended from Jews who lived in Central or Eastern Europe.

Acknowledging the threat actor’s claims, 23andMe said that the threat actor used previously-compromised credentials to infiltrate its internal network.

“After learning of suspicious activity, we immediately began an investigation. While we are continuing to investigate this matter, we believe threat actors were able to access certain accounts in instances where users recycled login credentials – that is, usernames and passwords that were used on 23andMe.com were the same as those used on other websites that have been previously hacked,” the company said.

Recently, online genealogy platforms Ancestry and MyHeritage said they are rolling out two-factor authentication for their customer signup and login processes to better secure customer information from unauthorised access or hacking attacks.

In a statement shared with TechCrunch, Ancestry’s senior director of communications Gina Spatafore said, “Ancestry is requiring all AncestryDNA customers who want to view their DNA matches to use multi-factor authentication to log into their account. This requirement will go into effect by the end of the year.”

MyHeritage also announced that two-factor authentication will “soon become a mandatory requirement for our DNA customers.”

“Protecting your personal information is our top priority at MyHeritage, and that’s why we strongly recommend enabling Two-Factor Authentication (2FA) for your MyHeritage account. If you notice an impact on some features due to these measures, please be understanding and be assured that this is done to maximize the security of your own data,” the company said.

23andMe also announced a similar move to secure customer accounts after a major data breach compromised millions of customer data records in October. “Since 2019, 23andMe customers have had the option to utilise authenticator app 2-factor authentication, which adds an extra layer of security to their account. Starting today, we are requiring all customers to use a second step of verification to sign into their account,” it said.

Commenting on the news, Darren Guccione, the CEO and co-founder of Keeper Security, said, “DNA testing and genealogy companies shifting to a mandatory 2FA requirement is a positive step in protecting consumers. In fact, people should be enabling 2FA websites that make it available to help protect against phishing and brute force, among other cyber attacks. Using a password is not enough as cyber attacks become increasingly frequent and sophisticated. When you also consider the fact that most people don’t use strong, unique passwords for each of their accounts, the likelihood of compromise further increases.

“The additional layer of security offered by 2FA and MFA is critical, especially in the case of DNA based websites that host sensitive personal data. When 2FA is a cumbersome additional step, individuals are less likely to utilise it, which is why it’s valuable to simplify and streamline the process. 

 

“Using a reputable password manager allows 2FA codes to be stored directly in the login record, and even auto-filled with the username and password. This increases adoption of 2FA and better strengthens security of online accounts,” he added.