23andMe under fire after failing to detect cyberattack for five months

Company has blamed customers for data breach

clock • 2 min read
23andMe under fire after failing to detect cyberattack for five months

Genetic testing company 23andMe is facing intensified scrutiny after revealing that it failed to detect malicious activity on its platform for a five-month period, allowing attackers to infiltrate user accounts.

23andMe, a US biotechnology and genomics firm, provides genetic testing services to customers, send them a comprehensive report on their ancestry and genetic predispositions.

In a series of data breach notifications submitted to California's attorney general, 23andMe said the attackers employed credential stuffing techniques between 29th April and 27th September 2023, compromising user accounts without detection.

The breach was only uncovered in October when hackers advertised the stolen data online, including on an unofficial subreddit dedicated to the company and a notorious hacking forum.

It was later found that the hackers had also advertised the stolen data on another hacking forum months earlier in August, underscoring the failure of 23andMe's security protocols.

While the exact scope of the breach remains unclear, 23andMe previously acknowledged that approximately 14,000 accounts were breached, affecting users who had enabled the DNA Relatives feature and ultimately exposing 6.9 million individuals' data.

DNA Relatives enables any account holder to search for potential genetic matches, regardless of how distant they may be. Users have the option to voluntarily share their information through DNA Relatives for others to access.

The recent breach notifications outlined the types of data that may have been compromised, which includes basic profile information such as last login date, relationship labels, predicted relationships, percentage of DNA shared, and account display names.

Users who opted to share additional information with DNA matches, including ancestry reports, matching DNA segments, location, family trees and personal bios, may also have had this data exposed.

While credential stuffing attacks can be challenging to detect, critics argue that 23andMe's delayed implementation of two-factor authentication (2FA), which it didn't roll out until November, after discovering the breach, indicates poor security protocols.

Customers affected by the breach have launched class action lawsuits against 23andMe in both the United States and Canada.

The company has defended its stance, attributing the breach to user negligence and maintaining that it upheld reasonable security measures under the California Privacy Rights Act.

In letters sent to lawyers representing breach victims, 23andMe reiterated its position, claiming that users were responsible for the breach due to their failure to update compromised login credentials.

In an attempt to mitigate legal repercussions, the company updated its Terms of Use on 30th November, introducing a new 60-day dispute resolution period. The changes make it more difficult for customers to join class action lawsuits by requiring disputes to be resolved through individual arbitration.

While 23andMe claims these changes were made to streamline the arbitration process and enhance customer understanding, they also serve to protect the company from accountability and limit the legal options available to affected individuals.

Legal experts have criticised these manoeuvres as "cynical" and "self-serving."

You may also like
Operation Cronos: NCA reveals details of LockBit affiliates

Threats and Risks

Operation has been crippled - for now

clock 22 February 2024 • 3 min read
Law enforcement takes down LockBit - updated

Security

NCA among the groups under 'Operation Cronos'

clock 20 February 2024 • 2 min read
Microsoft's chief security advisor joins Cybersecurity Festival 2024

Security

Sarah Armstrong-Smith will talk AI in security

clock 19 February 2024 • 1 min read

More on Hacking

Cambridge University hit by DDoS attack

Cambridge University hit by DDoS attack

Anonyous Sudan claims it also hit the University of Manchester

John Leonard
clock 20 February 2024 • 1 min read
Southern Water confirms customer data breach

Southern Water confirms customer data breach

Stems from Black Basta attack last month

clock 14 February 2024 • 2 min read
Cloudflare's estate breached by suspected state-sponsored threat actors

Cloudflare's estate breached by suspected state-sponsored threat actors

The attackers exploited unrotated access token and service account credentials obtained from an Okta breach in October

clock 05 February 2024 • 2 min read