Kimberly Schroder shows off her 23andMe results. (Gabriel Greschler)
Kimberly Schroder shows off her 23andMe results. (Photo/Gabriel Greschler)

Data on Ashkenazi Jews hacked from 23andMe

Sign up for Weekday J and get the latest on what's happening in the Jewish Bay Area.

The genetic testing company 23andMe has been a godsend for people wanting to discover their heritage, but the experience for hundreds of thousands of people with Ashkenazi Jewish lineage has taken a potential turn for the worse.

An anonymous hacker, or group of hackers, was claiming last week to be selling information from 999,999 customer accounts that was cobbled together and stolen from Sunnyvale-based 23andMe.

The listing on the dark web was titled “ashkenazi DNA Data of Celebrities” and the seller suggested the information included names, dates of birth, genders, photos, DNA ancestry and lists of living relatives. The profile information could be used to target users based on their ethnicity, the seller added.

On Oct. 6, a 23andMe spokesperson confirmed that data from genuine customer profiles was for sale on a hacker forum.

However, the spokesperson also told Bloomberg News that the company found no evidence of a breach of its security systems, saying that the hacker, or hackers, had logged into individual 23andMe customer accounts by using credentials hacked from other places on the internet.

The hackers “then exploited the fact that 23andMe can give users vast access to each others’ genetic information,” the spokesman said, as quoted by NBC News.

The hacker, using the name “Golem,” claimed the information for sale includes data of high-profile celebrities, “ranging from the world’s top business magnates to dynasties often whispered about in conspiracy theories.”

Contacted for this article, a spokesperson for 23andMe confirmed that an unspecified number of customers’ accounts were indeed compromised and remain at risk.

One of those customers is South Peninsula resident and retired psychologist Ellen Fox, who used 23andMe, which mails kits to customers for saliva-sample collection, in 2019.

“Perhaps they [the hackers] do it to create chaos and make people remember Nazism or Soviet times, when Jewish people really were in tremendous danger,” Fox said. “It’s akin to calling in a bomb threat to a synagogue.”

Fox, who was in an actual bomb scare at Congregation Beth Am in Los Altos Hills last month, said the cyber attack reminded her of tactics used to identify and round up Jewish families during the Holocaust.

“There’s potential for all kinds of sinister outcomes,” said Doug Sinton, a Palo Alto resident and former San Jose State professor whose son and several friends have used 23andMe for genetic testing and ancestry tracing. “It’s essentially how Hitler was able to target so many people. Who knows what someone with malintent would do if they were to get their hands on that data.”

According to the 2001 book “IBM and the Holocaust” by Edwin Black, there is documentation that the Third Reich relied on IBM’s pre-computer punch card and card sorting technology, which was used in Germany for census and various registration procedures, to help locate — and then murder — hundreds of thousands of Germany’s Jews.

Dmitriy Glazer of San Francisco, who used 23andMe not long after it launched as a startup in 2006, said that although he is “deeply concerned about cyber hacking in general” he’s “not particularly worried” about his DNA being used to hunt him down.

“The mezuzah on the front of my door is proof of my Jewish origins and beliefs,” he said.

He added that he takes comfort in Psalm 121 during these times of rising antisemitism. “I believe that ‘He who watches over Israel will neither slumber nor sleep,’” he said.

NBC News last week verified the data of two 23andMe users in the breach as authentic, and also viewed the cache of data for sale. “It includes their first and last name, sex and 23andMe’s evaluation of where their ancestors came from,” NBC News wrote. Despite the title of the database, the report added, “most of the people on it aren’t famous, and it appears to have been sorted to only include people with Ashkenazi heritage.”

“This attack at 23andMe was due to folks reusing the same password across multiple websites,” said Matt Johansen, a cybersecurity architect and curator of Vulnerable U, which presents aggregated cybersecurity news. His speculation corroborates what 23andMe told J. “There is not much you can do to put Pandora back in the box there,” he said.

To minimize damage, Johansen recommended that those who suspect their data was hacked to place credit locks on every major credit monitoring company, in order to block identity thieves from opening lines of credit in the stolen account holder’s name. He also suggested using two-factor identification systems, creating extra-long passwords and avoiding identical passwords.

But passwords and credentials are one thing. The rise in antisemitic fervor is something else — and a problem with less obvious solutions.

“I’m under no illusion about privacy protections,” said Fox, who said she changed her passwords after the hack. “It’s open season on any information that we have out there on the internet. But what’s more concerning is how hackers or pranksters of all kinds are using these tactics to terrorize the community.”

Valerie Demicheva
Valerie Demicheva

Valerie Demicheva is a journalist and photographer whose work has been published in the San Francisco Chronicle, Women's Wear Daily and Silicon Valley Magazine. She's covered culture, tech, media, restaurants and philanthropy in the Bay Area for over a decade.