Help with possible data breach

burjoes
burjoes
Community Member

I got an email from 23andme yesterday at midnight saying that my email address had been changed to my ex-wife's secondary email. An hour later and it was changed back to mine. I logged in to find some damaging behavior had occurred. I'm working with the police and 23andme to get logs and see what exactly happened.

In reviewing the login in 1password, I find that I changed the password for the account about a year ago. I haven't had any physical contact with her, sharing devices with her, etc. in 2+ years. We have a son with a phone that goes back and forth, but he doesn't have 23andme as an app.

I am completely stumped as to how she could have gotten the password to this website. If she got my 1password account, I have much bigger problems. However, i logged in to my 1password account and the device list is correct, and i haven't received any suspicious emails saying that someone has logged in. also, there are far worse things for her to go after than my 23andme account, although if you knew the family DNA situation, maybe you would disagree.

I am hoping that someone from 23andme can work with me to look at my account, specifically to see if her IP address has logged in (her house has had the same IP address for many years), and/or any suspicious behavior. I just turned on 2FA, so I feel even safer now.

Any help appreciated. I have been a victim of identity theft before, so I'm really paranoid and go to great lengths to ensure security. I would say it's even possible she knows or hired a black hat hacker to find an exploit with 23andme to get into my account.

To be clear, she appears to have logged into my account using my actual password. Once in, she changed my email to hers, then made an important change that required email confirmation, then changed the email back. When i confirmed the email change with 23andme, the exact same password worked.

Thanks!


1Password Version: 7.4.1
Extension Version: Not Provided
OS Version: Catalina
Sync Type: 1Password for Families

Comments

  • ag_ana
    ag_ana
    1Password Alumni

    Hi @burjoes!

    I am completely stumped as to how she could have gotten the password to this website.

    Were you using this same password for other websites perhaps? And is it a complex enough password, generated with the 1Password password generator?

    I am hoping that someone from 23andme can work with me to look at my account, specifically to see if her IP address has logged in (her house has had the same IP address for many years), and/or any suspicious behavior. I just turned on 2FA, so I feel even safer now.

    I hope that someone from 23andme can help you with this as well, they will be in the best situation to give you information about what happened.

    To be clear, she appears to have logged into my account using my actual password. Once in, she changed my email to hers, then made an important change that required email confirmation, then changed the email back. When i confirmed the email change with 23andme, the exact same password worked.

    When it comes to 1Password, I recommend changing the password for your 23andme account, if you haven't already. And make sure you use a strong one.

  • gordcook
    gordcook
    Community Member

    @burjoes

    Firstly, I think it’s highly unlikely that anyone from 23andme will find your post on the 1Password forums. If you want support from them, the most efficient way would be to reach out to them directly.
    The second thing is that you didn’t mention whether you have a long, randomly generated password; it’s possible that the bad actor simply brute forced it.
    Thirdly, you didn’t mention whether you used the same password anywhere else; it’s possible that the bad actor found your password in a data breach from a completely different web site.
    The last, and IMHO most likely scenario, is that the bad actor socially engineered one of the support staff from 23andme into changing the email address and/or the password on your account by convincing them that they were you, or that they were authorized to make changes to your account.
    This is all the more reason to reach out to their support channels. If that happened, there should be an investigation on their side and action taken to avoid it happening to you or someone else in the future.
    Also, kudos for adding a second authentication factor. That’s the best way to protect yourself from this happening to you again.

  • ag_ana
    ag_ana
    1Password Alumni

    Thank you for also weighing in on this :+1:

  • burjoes
    burjoes
    Community Member

    Thanks for the replies. To clarify:

    • the password was long and complex, generated by 1password.
    • the password was not used anywhere else
    • I meant "i hope someone from 1password can look at my 1password account to ensure nobody has logged in etc" (i didn't mean 23andme, as i already have a case open with them and am waiting to hear from them. I turned on 2FA with 1password, not 23andme. I did change the password on 23andme to yet another random number/letter/symbol

    Great point about them possibly using social engineering to have someone at 23andme change it. I will look into that.

    Here is one area I'm still confused. When i looked at my phone in the middle of the night that night, 1password said my 23andme account had been "created in 2015, modified jan 2, 2019". looking at password history, i see that back in 2015, i was using the "usual" password that she would have known. Then on jan 2, 2019, i realized i hadn't changed that one, and so i did. That all makes sense. BUT - now when i go to 1password, it says that the previously used password (the "new one") was from dec 1, 2019 rather than jan 2, 2019. I believe this is a quirk with 1password, but would like to confirm. When i changed the email address back to mine, it seems to have saved the password as being "new" even though it was the same one. Unfortunately this gives the impression that i just changed the password that same day (after the hack). But that's not true, and i have the screenshots. https://www.dropbox.com/s/1gv26mtf2ltbykv/Screenshot 2019-12-03 12.55.58.png?dl=0 is the screenshot i took that night. And https://www.dropbox.com/s/kh6u1l7d0aofr0x/2.png?dl=0 is the screenshot from 1password right now.

    Please let me know if 1password support is able to look at my 1password account and check for any security issues.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @burjoes: I'd encourage you to email us at support@1password.com from your 1Password account's registered email address. The security team can look into it, and help you make sure that there is no one else accessing your account. They would need to have gotten your 1Password account credentials from you to do that, as we never have them. But even if that happened we can walk you through changing your credentials and deauthorizing devices.

This discussion has been closed.