Genetic testing company 23andMe is facing intensified scrutiny after revealing that it failed to detect malicious activity on its platform for a five-month period, allowing attackers to infiltrate user accounts.
23andMe, a US biotechnology and genomics firm, provides genetic testing services to customers, send them a comprehensive report on their ancestry and genetic predispositions.
In a series of data breach notifications submitted to California's attorney general, 23andMe said the attackers employed credential stuffing techniques between 29th April and 27th September 2023, compromising user accounts without detection.
The breach was only uncovered in October when hackers advertised the stolen data online, including on an unofficial subreddit dedicated to the company and a notorious hacking forum.
It was later found that the hackers had also advertised the stolen data on another hacking forum months earlier in August, underscoring the failure of 23andMe's security protocols.
While the exact scope of the breach remains unclear, 23andMe previously acknowledged that approximately 14,000 accounts were breached, affecting users who had enabled the DNA Relatives feature and ultimately exposing 6.9 million individuals' data.
DNA Relatives enables any account holder to search for potential genetic matches, regardless of how distant they may be. Users have the option to voluntarily share their information through DNA Relatives for others to access.
The recent breach notifications outlined the types of data that may have been compromised, which includes basic profile information such as last login date, relationship labels, predicted relationships, percentage of DNA shared, and account display names.
Users who opted to share additional information with DNA matches, including ancestry reports, matching DNA segments, location, family trees and personal bios, may also have had this data exposed.
While credential stuffing attacks can be challenging to detect, critics argue that 23andMe's delayed implementation of two-factor authentication (2FA), which it didn't roll out until November, after discovering the breach, indicates poor security protocols.
Customers affected by the breach have launched class action lawsuits against 23andMe in both the United States and Canada.
The company has defended its stance, attributing the breach to user negligence and maintaining that it upheld reasonable security measures under the California Privacy Rights Act.
In letters sent to lawyers representing breach victims, 23andMe reiterated its position, claiming that users were responsible for the breach due to their failure to update compromised login credentials.
In an attempt to mitigate legal repercussions, the company updated its Terms of Use on 30th November, introducing a new 60-day dispute resolution period. The changes make it more difficult for customers to join class action lawsuits by requiring disputes to be resolved through individual arbitration.
While 23andMe claims these changes were made to streamline the arbitration process and enhance customer understanding, they also serve to protect the company from accountability and limit the legal options available to affected individuals.
Legal experts have criticised these manoeuvres as "cynical" and "self-serving."
