23andMe Data Breach: Millions Of Users’ Data Compromised

In a recent data breach notification, 23andMe disclosed that hackers had unauthorized access to customer accounts for several months, compromising the personal data of millions of users. The company admitted that it failed to detect the cyberattacks for an extended period, leaving sensitive information vulnerable to theft.

Hackers Exploited Weaknesses for Months

According to the notification filed with regulators, the cyberattacks began in April 2023 and persisted until September of the same year. During this time, hackers successfully breached the accounts of approximately 14,000 customers by exploiting weak passwords that had been previously exposed in other breaches. This allowed them to access the genetic and ancestry data of 6.9 million users, accounting for half of 23andMe’s customer base.

Delayed Detection and Customer Impact

It was not until October that 23andMe became aware of the breach, following the hackers’ public advertisement of the stolen data on various online platforms. The compromised information included users’ names, birth years, relationship labels, DNA shared with relatives, ancestry reports, and self-reported locations. The delayed detection of the breach has raised concerns about the company’s security measures and its ability to safeguard sensitive data.

Legal Ramifications and Company Response

Following the data breach, affected customers have initiated class action lawsuits against 23andMe in the U.S. and Canada. Despite attempts by the company to impede collective legal action through changes to its terms of service, legal experts have criticized these measures as self-serving and aimed at protecting 23andMe’s interests. In response to the lawsuits, 23andMe has attributed the breach to users’ alleged negligence in reusing passwords from previous security incidents, a claim that has been met with skepticism.