23andMe under fire after failing to detect cyberattack for five months

Company has blamed customers for data breach

clock • 2 min read
23andMe under fire after failing to detect cyberattack for five months

Genetic testing company 23andMe is facing intensified scrutiny after revealing that it failed to detect malicious activity on its platform for a five-month period, allowing attackers to infiltrate user accounts.

23andMe, a US biotechnology and genomics firm, provides genetic testing services to customers, send them a comprehensive report on their ancestry and genetic predispositions.

In a series of data breach notifications submitted to California's attorney general, 23andMe said the attackers employed credential stuffing techniques between 29th April and 27th September 2023, compromising user accounts without detection.

The breach was only uncovered in October when hackers advertised the stolen data online, including on an unofficial subreddit dedicated to the company and a notorious hacking forum.

It was later found that the hackers had also advertised the stolen data on another hacking forum months earlier in August, underscoring the failure of 23andMe's security protocols.

While the exact scope of the breach remains unclear, 23andMe previously acknowledged that approximately 14,000 accounts were breached, affecting users who had enabled the DNA Relatives feature and ultimately exposing 6.9 million individuals' data.

DNA Relatives enables any account holder to search for potential genetic matches, regardless of how distant they may be. Users have the option to voluntarily share their information through DNA Relatives for others to access.

The recent breach notifications outlined the types of data that may have been compromised, which includes basic profile information such as last login date, relationship labels, predicted relationships, percentage of DNA shared, and account display names.

Users who opted to share additional information with DNA matches, including ancestry reports, matching DNA segments, location, family trees and personal bios, may also have had this data exposed.

While credential stuffing attacks can be challenging to detect, critics argue that 23andMe's delayed implementation of two-factor authentication (2FA), which it didn't roll out until November, after discovering the breach, indicates poor security protocols.

Customers affected by the breach have launched class action lawsuits against 23andMe in both the United States and Canada.

The company has defended its stance, attributing the breach to user negligence and maintaining that it upheld reasonable security measures under the California Privacy Rights Act.

In letters sent to lawyers representing breach victims, 23andMe reiterated its position, claiming that users were responsible for the breach due to their failure to update compromised login credentials.

In an attempt to mitigate legal repercussions, the company updated its Terms of Use on 30th November, introducing a new 60-day dispute resolution period. The changes make it more difficult for customers to join class action lawsuits by requiring disputes to be resolved through individual arbitration.

While 23andMe claims these changes were made to streamline the arbitration process and enhance customer understanding, they also serve to protect the company from accountability and limit the legal options available to affected individuals.

Legal experts have criticised these manoeuvres as "cynical" and "self-serving."

You may also like
UK gym chain Total Fitness leaks personal images online

Hacking

Other leaked data includes ID documents, payment information and phone numbers

clock 18 June 2024 • 2 min read
Cyber gang shifts focus to SaaS apps

Security

‘Scattered Spider’ is targeting vSphere, Salesforce, Crowdstrike and more

clock 18 June 2024 • 2 min read
Dutch NCSC warns of ongoing Chinese FortiGate attacks

Hacking

About 14,000 firewalls breached before Fortinet knew about the flaw

clock 14 June 2024 • 3 min read

Sign up to our newsletter

The best news, stories, features and photos from the day in one perfectly formed email.

More on Hacking

UK gym chain Total Fitness leaks personal images online

UK gym chain Total Fitness leaks personal images online

Other leaked data includes ID documents, payment information and phone numbers

Vikki Davies
clock 18 June 2024 • 2 min read
Dutch NCSC warns of ongoing Chinese FortiGate attacks

Dutch NCSC warns of ongoing Chinese FortiGate attacks

About 14,000 firewalls breached before Fortinet knew about the flaw

clock 14 June 2024 • 3 min read
Pure Storage says attackers broke into a Snowflake environment

Pure Storage says attackers broke into a Snowflake environment

But no sensitive data was compromised

clock 13 June 2024 • 2 min read