In a data breach notification letter filed with regulators this weekend, 23andMe disclosed that hackers began breaking into customer accounts in April 2023 and continued through most of September.
In other words, for about five months, 23andMe didn’t detect a series of cyberattacks where hackers tried — and often succeeded — to force access to customers’ accounts. according to a legally required filing sent to the California attorney general.
Months after hackers began targeting 23andMe customers, the company revealed that hackers had stolen the ancestry and genetic data of 6.9 million users, or about half of its customers.
According to the company, 23andMe was made aware of the breach in October when hackers advertised the stolen data in posts published on the unofficial 23andMe subreddit and separately on a notorious hacking forum. 23andMe also failed to notice that the hackers advertised the stolen data on another hacking forum months earlier in August, as TechCrunch reported.
Contact us
Do you have more information about this hack? We would love to hear from you. From a non-working device, Lorenzo Franceschi-Bicchierai can be reached securely on Signal at +1 917 257 1382 or via Telegram, Keybase and Wire @lorenzofb or email at lorenzo@techcrunch.com. You can also contact TechCrunch via SecureDrop.
As 23andMe later admitted, hackers were able to access the accounts of about 14,000 customers by brute forcing accounts that used passwords that had already been made public and were associated with email addresses from other breaches. By accessing these accounts, hackers stole data of 6.9 million customers through it DNA congeners feature, which allows customers to automatically share some of their data with others that 23andMe classifies as relatives. The stolen data included the person’s name, year of birth, relationship tags, percentage of DNA shared with relatives, parentage references and self-reported location.
23andMe representatives did not immediately respond to TechCrunch’s request for comment, which included questions about how the breach went undetected for so long.
After customers were notified that they were victims of the breach, several victims have filed class-action lawsuits against 23andMe in the US and Canada, even as the company has tried to make it harder for victims to join legal action by changing its terms of service. Data breach lawyers called the terms of service changes “cynical,” “self-serving” and a “desperate attempt” to protect 23andMe from its own customers.
In one of the lawsuits, 23andMe responded by accusing users of allegedly using reused passwords.
“Users carelessly recycled and failed to update their passwords after these previous security incidents, which were not related to 23andMe.” 23andMe claimed in a letter that the victims of the breach. “The incident was not the result of 23andMe’s alleged failure to maintain reasonable security measures.”
