In a data breach notification letter filed with regulators this weekend, 23andMe revealed that hackers started breaking into customers’ accounts in April 2023 and continued through most of September.
In other words, for around five months, 23andMe did not detect a series of cyberattacks where hackers were trying — and often succeeding — in brute-forcing access to customers’ accounts, according to a legally required filing 23andMe sent to California’s attorney general.
Months after the hackers started targeting 23andMe customers, the company revealed that hackers had stolen the ancestry and genetic data of 6.9 million users, or about half of its customers.
According to the company, 23andMe became aware of the breach in October when hackers advertised the stolen data in posts published on the unofficial 23andMe subreddit and separately on a notorious hacking forum. 23andMe also did not notice that the hackers advertised the stolen data on another hacking forum months earlier in August, as TechCrunch reported.
Contact Us
Do you have more information about this hack? We’d love to hear from you. From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram, Keybase and Wire @lorenzofb, or email [email protected]. You also can contact TechCrunch via SecureDrop.
As 23andMe later admitted, hackers were able to access the accounts of around 14,000 customers by brute-forcing into accounts that were using passwords already made public and associated with email addresses from other breaches. With access to those accounts, the hackers stole data on 6.9 million customers by way of the DNA Relatives feature, which lets customers automatically share some of their data with others that 23andMe classifies as relatives. The stolen data included the person’s name, birth year, relationship labels, the percentage of DNA shared with relatives, ancestry reports and self-reported location.
23andMe spokespeople did not immediately respond to TechCrunch’s request for comment, which included questions about how the breach went undetected for so long.
After customers were notified that they were victims of the breach, several victims have filed class action lawsuits against 23andMe in the U.S. and Canada, even though the company tried to make it harder for victims to band together in legal actions by changing its terms of service. Data breach lawyers called the terms of service changes “cynical,” “self-serving,” and “a desperate attempt” to protect 23andMe against its own customers.
In one of the lawsuits, 23andMe responded by blaming users for allegedly using reused passwords.
“Users negligently recycled and failed to update their passwords following these past security incidents, which are unrelated to 23andMe,” 23andMe claimed in a letter to breach victims. “The incident was not a result of 23andMe’s alleged failure to maintain reasonable security measures.”