23andMe is known for identifying your genetic background—not so much for detecting hacks.
According to a new breach notification filing to California’s attorney general’s office, hackers were accessing 23andMe customer data for months, from April to September 2023, before the company discovered the leak in October.
“Based on our investigation, we believe a threat actor orchestrated a credential stuffing attack during the period from May 2023 through September 2023 to gain access to one or more 23andMe accounts,” according to a letter 23andMe sent to affected users.
Family tree. The breach resulted in 14,000 user profiles being accessed by hackers. That, in turn, led to the compromise of 5.5 million relatives’ profiles and 1.4 million Family Tree feature profiles. The hack illustrates the danger of sharing such sensitive information, Iskander Sanchez-Rola, director of privacy innovation at cybersecurity-services provider Gen, told IT Brew in December.
“When you are giving this [genetic data], you are associating a lot of ancestry: maybe your uncle, maybe your grandfather, or maybe some other people who never agreed to give this information,” Sanchez-Rola said.
Since the attack, 23andMe has instituted more rigorous protections, including requiring two-step verification and pausing “certain functionality within the 23andMe platform,” according to a letter it sent customers after the hack.
Blame game. In November, 23andMe users filed a class action lawsuit against the company over the hack. The next month, 23andMe responded, blaming users for the breach in an attempt to avoid liability under the California Privacy Rights Act (CPRA). 23andMe claimed in the letter to consumers that the breach was the result of users who had “recycled their own login credentials.”
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
“Users negligently recycled and failed to update their passwords following these past security incidents, which are unrelated to 23andMe,” the company wrote. “Therefore, the incident was not a result of 23andMe’s alleged failure to maintain reasonable security measures under the CPRA.”
Jay Edelson, an attorney representing 23andMe customers in a class action lawsuit that accuses the company of failing to safeguard their privacy, said the leaked data could endanger victims. In an email to the New York Times, Edelson said safety comes first in breaches of this magnitude—“our first concern will be whether the information will be used to physically harass or harm people on a systematic, mass scale.”
“The standard for when a company acts reasonably to protect data is now a higher one, at least for the type of data that can be used in this manner,” Edelson wrote.
23andMe did not immediately respond to an email request for comment on the lawsuit.