23andMe, the genetic testing company used by many genealogists, recently admitted that millions of user accounts had been hacked. Why does the 23andMe hack matter, and what should we do as 23andMe customers? Read on …
23andMe gets a “D” for how it handled the breach. Instead of admitting fault that hackers had launched an undetected campaign to scrape millions of customer records, the Silicon Valley company instead blamed its customers for reusing passwords. The only thing the company did right: Promising to notify affected account holders.
Alarmingly, 23andMe is not the first online genealogy service to get hacked:
- In 2017, MyHeritage had 92 million accounts hacked. In 2020, users were targeted in a separate phishing scheme.
- GEDmatch admitted “all user permissions were reset” in a 2020 attack.
- Ancestry and Ancestry affiliated companies have had multiple security breaches over the past 10 years. Ancestry has also destroyed people's archives when it decided it was no longer profitable or important enough to keep them.
- Last year, FamilySearch belatedly admitted a breach had exposed “users’ full names, genders, email addresses, birth dates, mailing addresses, phone numbers.”
These are incidents that have been made public as required by law. There are surely thousands of other smaller incidents that are not reported, as well as major breaches that the companies themselves don’t even know about yet.
7 data security tips in the short term
The pattern is clear. In our opinion, not one of these companies can be trusted to keep private, personal, or confidential data out of the hands of hackers. A mixture of hubris, flawed technology, and weak regulation means similar incidents will continue for years to come.
On the other hand, these services are incredibly useful. FamilySearch and Ancestry make it easy to access vital records, census returns, and other genealogy data.
We believe there is a middle ground that lets genealogists protect private information while leveraging these services for family history. Here are our recommendations:
- Employ unique passwords for each site you use.
- Use a current email address, so you can more easily reset passwords and get notifications of breaches.
- If you are technically savvy, use two-factor authentication (2FA) services if they are offered (23andMe has this option).
- If possible, do not use debit cards for genealogy subscriptions as protections are limited if the card number is stolen.
- Reconsider sharing settings. What is your tolerance for sharing DNA, or personal information?
- Don’t enter the full names, real birthdates, or actual birthplaces of living relatives or yourself. This data can be used for targeted attacks.
- Don’t upload sensitive family data you don’t want shared, stolen, or misused.
On this last point, while I use some of these online sites for research, I have NEVER uploaded a complete family tree GEDCOM from my PC genealogy software. I don’t trust any online genealogy service, even FamilySearch, to be responsible shepherds of sensitive family data and important records.
A long-term approach for genealogy data after the 23andMe hack
Long term, genealogists need to take control of their research. Most for-profit tech companies won’t exist in 25 years, which means uploaded family tree data will be lost, corrupted, or sold off to the highest bidder.
This means keeping hard copies of key family records. Storing computer files on hardware you control with secure backups. And sharing paper genealogy charts (or genealogy PDF printouts) with as many relatives as possible.