23andMe data theft prompts DNA testing companies to switch on 2FA by default
DNA testing and genealogy companies are stepping up user account security by mandating the use of two-factor authentication, following the theft of millions of user records from DNA genetic testing giant 23andMe.
Ancestry, MyHeritage, and 23andMe have begun notifying customers that their accounts will use two-factor (2FA) by default, a security feature where users are asked to enter an additional verification code sent to a device they own to confirm that the person logging in is the true account holder.
Ancestry emailed customers saying the company will “require two-step verification” for customers signing in by sending a code to their phone or email address.
“Ancestry is requiring all AncestryDNA customers who want to view their DNA matches to use multi-factor authentication to log into their account. This requirement will go into effect by the end of the year,” said Ancestry spokesperson Gina Spatafore in an email to TechCrunch.
MyHeritage said in a blog post last week that two-factor authentication will “soon become a mandatory requirement for our DNA customers,” citing the recent data theft at 23andMe. For its part, 23andMe said this week that it was also “requiring all customers use a second step of verification” to sign into their account.
Ancestry, MyHeritage and 23andMe account for more than 100 million users.
The move to require 2FA by default comes after 23andMe said in October it was investigating after a hacker claimed the theft of millions of 23andMe account records, including one million users of Jewish Ashkenazi descent and 100,000 Chinese users.
23andMe said in a blog post at the time that it believed hackers accessed 23andMe user accounts by using stolen user passwords — where hackers try lists of usernames and corresponding passwords that were already made public from other data breaches. The hackers compiled profile and genetic data from 23andMe users who had opted into its DNA Relatives feature, which lets users who switch on the feature automatically share their data with others, according to 23andMe.
TechCrunch found that some of the stolen data was advertised as early as August, and that some of the stolen data matches known and public 23andMe user and genetic information.
Genetics and genealogy companies have previously been targets of cyberattacks and data theft, given the wealth of sensitive personal and genetic data they hold. In 2020, DNA analysis site GEDmatch said it experienced two data breaches that exposed users’ data, In 2019, DNA testing firm Veritas Genetics was hit by a data breach that compromised customer information.
Updated with comment from Ancestry.